Privacy policy


This Privacy Notice (hereafter as “Privacy Notice”) applies to the processing of personal data by Bank One Limited (hereafter as “Bank One”; “we”; “us” and “our”), of data subjects who subscribe to the pop Application (hereafter referred to as “Customers”; “you” or “your”) or pop Merchants (hereafter referred to as “Merchants”; “you” or “your”).

Words used with respect to the pop Application in the present Privacy Notice shall have, except where not appropriate in the context, the meanings as described in the pop Terms and Conditions.

This notice applies where we are acting as a data controller with respect to the personal data of our Customers and Merchants. As data controller, we determine the purposes and means of the processing of that personal data.

We are committed to safeguarding the privacy of our Customers and Merchants. As a result, we would like to inform you regarding the way we would use your personal data, pursuant to the Data Protection Act 2017 (hereafter the “DPA”) and where applicable, the European Union General Data Protection Regulation 2016/679 (hereafter the “GDPR”) (the DPA and the GDPR being hereafter referred to as the “applicable data protection laws”).

Our Privacy Notice sets out the types of personal data we collect, how we collect and process that data, who we may share this information with and the rights you have in this respect.

Who we are

pop is the registered trademark in the name of Bank One Limited which will be used to identify the pop Application and pop Merchants.

Bank One is a top-tier banking institution incorporated in 2008 following a joint venture between Mauritian conglomerate CIEL Finance Ltd and Kenya-based I&M Holdings PLC. Leveraging on a team of talented professionals across its four main business segments namely Retail, Corporate, Private and International Banking, Bank One has strengthened its presence both locally and regionally whilst mastering the complexities of the different geographies and markets where it is present. For more information, please refer to the About Us section on our website at:

We are registered in Mauritius under registration number C40612.

Our principal place of business is at 16, Sir William Newton Street, Port Louis, Mauritius.

Technical terms

We have tried to use simple and plain English as far as possible in this Privacy Notice. However, data protection is a complex subject and the use of technical terms from time to time is inevitable. We have therefore set out below definitions of the technical terms we have used in this document:

“Consent” means any freely given, specific, informed and unambiguous indication of the wishes of a data subject, either by a statement or a clear affirmative action, by which he signifies his agreement to personal data relating to him being processed.

“Controller” means a person who or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision making power with respect to the processing.

“Data subject” means an identified or identifiable individual, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. For the purpose of this Policy data subjects include all living individuals about whom we hold personal data. A data subject need not be a Mauritian national or resident in Mauritius.

“Direct marketing” means the communication of any advertising or marketing material which is directed to any particular individual.

“Personal data” means any information relating to a data subject and more specifically: (i) data relating to a living individual who can be identified from that data, or (ii) data or other information about a living individual whose identity is apparent or can reasonably be ascertained from the data. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.

“Processor” means any person who or public body which, processes personal data on behalf of the Company.

“Processing” means an operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Special categories of personal data”, in relation to a data subject, means personal data pertaining to: (a) his racial or ethnic origin; (b) his political opinion or adherence; (c) his religious or philosophical beliefs; (d) his membership of a trade union; (e) his physical or mental health or condition; (f) his sexual orientation, practices or preferences; (g) his genetic data or biometric data uniquely identifying him; (h) the commission or alleged commission of an offence by him; (i) any proceedings for an offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any Court in the proceedings.

Personal data we may collect about you

The type of data we collect will depend on the purpose for which it is collected and used. We will only collect data that we need for that purpose.

We may collect your personal data in the following ways:
(a) When you give it to us directly for e.g. you use any of our services, you correspond with us and provide us with your information, by email, through pop Application or pop Merchants, through the filing of forms, or when you visit the website (hereinafter “pop Website”) during your meetings and telephone conversations with our staff or when you visit our premises. (b) When we obtain it indirectly for e.g., information is shared with us by third parties (such as your credit reference agencies and law enforcement authorities). In such a case, the third party must confirm that you have consented to the disclosure of your personal data to us.

The types of personal data that are collected and processed may include:

Categories of Personal Data
Contact details

First name, surname (and any previous names), home/ business address, proof of address, email address, office phone number, cell phone number

Individual details
Sex (male/female), nationality, photographs
Employment details
Occupation and income, job title, company, occupational permit, business registration card and trade license, permit, or exemption certificate
National identification details
Identification numbers issued by government bodies or agencies such as your passport number and identity card number and driving license number, specimen signature
Financial information
Bank name, bank account number, transactional information on your accounts/dealings including income/ pay details on pop Application or pop Merchants
IT information
Information required to provide access to and for making use of pop Application or pop Merchants, such as login information (username, user ID and password) Information stored on our email server, demographic information such as preferences and interests.
Physical security information
Information recorded in our visitors’ logbook (reason for visit, organisation name, identification measures used, date and time of visit – for COVID-19 protocols), CCTV footage
Voice information
Recorded telephone conversations with Bank One’s staff.
Special categories of personal data/ Data on vulnerable persons
Biometric data in the form of photographs and voice recordings
Information about requests, queries and complaints


We use cookies on the pop Website. Insofar as those cookies are not strictly necessary for the provision of our website and services, we will ask you to consent to our use of cookies when you visit our website. Please refer to our Cookie Policy, available at the pop Website which covers in detail the aspects of cookie usage and the purposes for which we use cookies.

How we use your personal data

Bank One will only use your personal data for thepurposes for which it was collected or agreed with you.

From time to time, we, or another entity with whom we have shared your personal data with your consent, may process your data on an automated basis with the aim of evaluating certain characteristics of yours (profiling) if you have provided your consent for such processing. Profiling is used to provide you with tailored information regarding the products and services offered by us. To this end, data analysis using third parties may be undertaken. This enables us to target appropriate communications and advertisements at you, including recommending products and services that we think might be suitable for you.

We have set out below the legal basis of processing for each purpose. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your personal data.

Purpose of processing
Legal basis
For the purposes of contacting you through various channels such as email, phone, post, SMS or any other electronic means as appropriate for commercial events, offers and/or services or other marketing products which may be of interest to you
For the purposes of subscribing to our email notifications or newsletters and offering you the opportunity to take part in competitions or promotions
For the purposes of entering into an agreement with you regarding provision of products/ services and to administer and manage our relationship with you. Process your personal information for ordinary business purposes, namely:
• to open and maintain your account,
• to give effect to transactions,
• to administer claims where applicable,
• for the purpose of credit assessment, including conducting credit checks and setting credit limits, and to manage our risks
Performance of any contractual obligations towards you.
For the purposes of assessing the risk in providing a product or service and performing customer due diligence
For compliance with a legal or regulatory obligation to which we are subject to, under for instance the relevant AML/CFT regulations and guidelines.
For the purposes of record keeping
For compliance with a legal or regulatory obligation to which we are subject to, such as internal/external audit,proper maintenance of records relating to your transactions and retention periods, as per relevant AML/CFT regulations and guidelines for example.
For the purposes of analysing the effectiveness of our services using your feedback
Legitimate interests, namely of improving our services
For the purposes of ensuring the security of our information systems and maintaining back-ups of our databases
For compliance with legal obligation
For the purposes of managing our relationships with customers, communicating with customers and keeping records of those communications
Performance of any contractual obligations towards you.
For the purposes of confirming and verifying your identify when you request to access, rectify, restrict or delete the information we hold on you
For compliance with a legal obligation to which we are subject to, that is, to verify the identity of a data subject who makes a subject rights request
For the purposes of replying to any requests, complaints, comment or enquiries you submit to us regarding our services and notifying you about changes to our service
Performance of any contractual obligations towards you.
Processing CCTV footage captured on our premises for the purposes of: • Protecting your personal safety when you are on our premises
Legitimate interests of ensuring physical security on our premises.
For the purposes of conducting market or customer satisfaction research, for statistical analysis, or for analysing the effectiveness of our advertisements, and promotions
Legitimate interests, namely the proper administration of our business
To record phone calls between customers and the bank for effective documentation of the business transaction

In addition to the above-mentioned specific purposes for which we may process your personal data, we may also process any of your personal data where suchprocessing is necessary for compliance with legal and regulatory requirements which apply to us, or when it is otherwise allowed by law, or when it is in connectionwith legal proceedings.

Whether the supply of personal data is voluntary or mandatory

The provision of personal data is of course entirely voluntary. You are free to choose whether to provide your personal data to us or not. Please note however that if you choose not to provide your personal data to us, we may not be able to provide certain services to you or enter into a contractual relationship with you.

Disclosure of personal data

We may need to share your personal data with third parties which assist us in fulfilling our responsibilities regarding our business relationship with you and forthe purposes listed above. Bank One may disclose your personal data to the following third parties:

a) We may make certain personal data available to third party service providers and agents who provide services to us (such as marketing tool providers, payment software providers, credit reference agencies, loyalty programme partners). When we share with these third parties, we do so on a need-to-know basis and under clear contractual terms and instructions for the processing of your personal data.

b) We may also be required to disclose your personal data to other third parties such as lawyers, consultants, insurers, auditors as well as public and government authorities for purposes mentioned in Section 6 or where:

  • We have a duty or a right to disclose in terms of law or for national security and/or law enforcement purposes;
  • We believe it is necessary to protect our rights;
  • We need to protect the rights, property or personal safety of any member of the public or a customer of our company or the interests of our company; or
  • You have given your consent.

c) We may, from time to time, disclose your personal information, with your consent, to other companies with which we have partnered and after putting in place the necessary sharing agreements. The objective of this disclosure is to better identify your needs and provide tailor-made packages and services to you.

We require our service providers and other third parties to keep your personal data confidential and that they only use the personal data in furtherance of the specific purpose for which it was disclosed. We have written agreements in place with our processors to ensure that they comply with these privacy terms.

Personal data security

We are legally obliged to provide adequate protection for the personal data we hold. We have put in place appropriate security and organisational measures to prevent your personal data from being subject to any accidental or unlawful destruction, loss, alteration, and any unauthorised disclosure or access.

We have also put in place procedures to deal with any suspected data security breach and will notify you and the Data Protection Office of a suspected breach where we are legally required to do so.

We will, on an on-going basis, continue to review our security controls and related processes to ensure that your personal data is secure.

Our security policies and procedures cover, amongst others:

  • Access to personal data
  • Encryption
  • Password
  • Media Handling
  • Security Compliance
  • Network Control
  • Firewall
  • Backup of data
  • Incident management
  • Risk Assessment
  • Use and misuse of IT assets
  • Physical security
  • Antivirus
  • Audit Trail Logs
  • Outsourced Software Development
  • Third Party and Contract Management

When we contract with third parties, we impose appropriate security, privacy and confidentiality obligations on them to ensure that personal data that we remain responsible for is kept secure.

We will ensure that anyone to whom we pass your personal data agrees to treat your data with the same level of protection as we are obliged to.

International transfers

We may transfer personal data outside Mauritius as may be necessary for the purposes mentioned above. If we transfer your personal data to other countries, we will ensure that there are appropriate safeguards in place with regards to the protection of your personal data.

Those transfers would always be made in compliance with the applicable data protection laws. Data transfers do not change any of our commitments to safeguard your privacy and your personal data remains subject to existing confidentiality obligations.

If you would like further details on the transfer of your personal data outside Mauritius, please contact our Data Protection Officer (hereafter “DPO”) by referring to Section 10.

Your data protection rights

Under the applicable data protection laws, you have rights we need to make you aware of and which are set out below. The rights available to you depend on our reason for processing your information. If you wish to exercise any of the said rights, we encourage you to contact our Data Protection Officer.

Your right to erasure of your personal data

You have the right to ask us to delete your personal data in certain circumstances:

  • When we no longer need your personal data;
  • If you initially consented to the use of your personal data, but have now withdrawn your consent;
  • If you have objected to us using your personal data, and your interests outweigh ours; and
  • If we have collected or used your personal data unlawfully

Where we collect personal data for a specific purpose, we will not keep it for longer than is necessary to fulfil that purpose, unless we have to keep it for legitimate business or legal reasons. Upon the determined expiry date, we will securely destroy your personal data. Retention periods are indicated in Annex A’s Records Retention and Disposal Schedule. When we delete data from our servers, no residual copies remain on our servers. Data from our backup tapes are also deleted depending on the next scheduled backup overwrite which may be on a weekly, monthly or yearly basis in accordance with its configuration.

You will understand that this right is not absolute and that it will not be applicable where the exceptions provided for by law apply, including where our processing of your personal data is necessary for the purpose of historical, statistical or scientific research or for compliance with a legal obligation or for the establishment, exercise or defence of a legal claim;

Your right of access to your personal data

You have the right to request a copy of the personal data we hold about you. In order to do so, simply contact our Data Protection Officer and specify in writing what data you would like to have access to. We will take all reasonable steps to confirm your identity before providing details of your personal data.

You will not have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Your right to restriction of processing

You have the right to ask us to limit how we use your data. If necessary, you may also stop us from deleting your data. To exercise your right to restriction, simply contact our Data Protection Officer, say what data you want restricted and state your reasons. You may request us to restrict processing of your personal data in the following circumstances:

  • If you have contested the accuracy of your personal data, for a period to enable us to verify the accuracy of the data;
  • If you have made an objection to the use of your personal data;
  • If we have processed your personal data unlawfully but you do want it deleted;
  • If we no longer need your personal data but you want us to keep it in order to create, exercise or defend legal claims.

Your right to object to processing

You have the right to object in writing at any time to the processing of personal data concerning you unless we demonstrate competing legitimate grounds for the processing which override the data subject’s interests, rights and freedoms or for the establishment, exercise or defence of a legal claim.

We currently process personal data for direct marketing. Where you object to the processing of your personal data for the purposes of direct marketing, your personal data shall no longer be processed for that purpose.

Your data to data portability

The right to data portability allows you to ask for transfer of your personal data from one organisation to another, or to you. The right only applies if we areprocessing information based on your consent or performance of a contract with you, and the processing is automated. You can exercise this right with respect toinformation you have given us by contacting our DPC (refer to Section 10). We will ensure that your data is provided in a way that is accessible and machine-readable.

Your right to withdraw consent

To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.

Changes to this privacy notice

We keep our privacy notice under regular review. We reserve the right to change our privacy notice at any time thus we encourage you to periodically review this notice to be informed of how we are using and protecting your personal data. We will notify you of significant changes by email or through automatic pop-ups on our website and applications. This version was last updated on [INSERT DATE].

Contact details

The primary point of contact for questions relating to this privacy notice, including any requests to exercise your legal rights, is our Data Protection Officer who can be contacted by email, at or the following physical address or telephone number

BANK ONE 16, Sir William Newton Street Port Louis, Mauritius Tel: 230 202 9200 / 202 9191

If you believe we have not handled your request in an appropriate manner, you have the right to file a complaint with the Data Protection Commissioner in Mauritius, whose contact details are as follows:

Data Protection Office 5th Floor, SICOM Tower, Wall Street, Ebene Email address: Phone number: + 230 460 0253 Fax: +230 489 7346

The procedure to file a complaint with the Data Protection Commissioner is available on

Annex A: Records retention and disposal schedule

As a general rule, the maximum retention period is 7 years.

The table below sets specific retention requirements:

Categories of Personal Data
Purpose of processing
Retention period
Contact details, Individual details, National Identification details
Account Opening and Maintenance
7 years
Data Subject Access Requests
2 years after the Data Subject Access Request has been closed
Customer Surveys
7 years
Audit Reports
7 years
Performance of Banking Agreements
7 years
Handling Customer Complaints / Feedback
7 years
Direct Marketing (via Email and SMS)
7 years
Social Media Contests / Promotions
7 years
Email / Newsletter subscription
7 years
IT information
Internet Banking user registration
7 years
Monitoring Website Usage and Activity
Refer to our Cookie Policy for the full list of Retention Period of all of our Cookies
Financial information, Credit risk and Anti-Fraud Details
Performance of Banking Agreements
7 years
Account Opening and Maintenance
7 years
Credit Assessment
7 years
Customer Due Diligence / AML CFT Purposes
7 years
Physical security information
Security/ Identifying disciplinary infringement/ Investigation, detection and prevention of crime
90 days
Voice information
Performance of Banking Agreements
7 years
Handling Customer Complaints / Feedback
7 years
Special Categories of Personal Data/ Data on vulnerable persons
Account Opening and Maintenance
7 years
Performance of Banking Agreements
7 years

Last updated: July 21, 2021

Download pop
for free

Scan this QR code with your phone :

2024 © All Rights Reserved | Terms and Conditions | Privacy & Cookie Policies |

Download pop
for free

Scan this QR code with your phone :

2024 © All Rights Reserved | Terms and Conditions | Privacy & Cookie Policies |

Show your Barcode
and make instant
pop payments at intermart

cover intermart


Go to Show QR/Bar
Code in Quick Menu


Select Show


Place your device under the Barcode scanner


Go to your Notifications, Click Pay

Not yet pop’in?
Download now

Bank One is licensed by the Bank of Mauritius.
Pop is a service from Bank One.
logo intermart
2024 © All Rights Reserved | Terms and Conditions | Privacy & Cookie Policies |