PROTECTION OF PERSONAL INFORMATION ACT (POPIA) POLICY of TUERI (PTY) LTD This POPIA Policy ("Policy") applies to Tueri (Pty) Ltd ("the Company"). 1 CONTEXT AND BACKGROUND This Policy covers the Company's compliance with and application of the Protection of Personal Information Act, 4 of 2013 ("POPIA"). The Company promotes the right to protection against unlawful processing of Personal Information and giving effect to the right to privacy as enshrined in section 14 of the Constitution of the Republic of South Africa. 2 DEFINITIONS In this Policy, the following definitions apply: 2.1 "Consent" means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of Personal Information. 2.2 "Competent person" means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child; 2.3 "Data Subject" means the Person to whom Personal Information relates, and for purposes of this Policy. 2.4 "De-identify" means to delete any information that identifies the Data Subject, can be used or manipulated by a reasonably foreseeable method to identify the Data Subject, or can be linked by a reasonably foreseeable method to other information that identifies the Data Subject. 2.5 "Deputy Information Officer" means the Deputy Information Officer required in terms of section 56 of POPIA. 2.6 "Information Officer" means the Information Officer required in terms of section 55 of POPIA. 2.7 "Information Regulator" means the Information Regulator established in terms of section 39 of POPIA. 2.8 "Operator" means a person who processes Personal Information for the Company in terms of a contract or mandate, without coming under the direct authority of the Company. 2.9 "Person" means a natural person or a juristic person. 2.10 "Personal Information" means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to: (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; (b) information relating to the education or the medical, financial, criminal or employment history of the person; (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; (d) the biometric information of the person; (e) the personal opinions, views or preferences of the person; (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; (g) the views or opinions of another individual about the person; (h) the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person; (i) and includes ''Special Personal Information'' referred to in section 26 of the POPIA such as religion, race or ethnic origin, criminal record, trade union membership, health, medical records, or biometric information of a Data Subject. 2.11 "POPIA" means the Protection of Personal Information Act, 4 of 2013. 2.12 "Processing" means any operation or activity or any set of operations, whether by automatic means, concerning Personal Information, including: (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; (b) dissemination by means of transmission, distribution or making available in any other form; or (c) merging, linking, as well as restriction, degradation, erasure or destruction of Personal Information; 2.13 "Responsible Party" means the Company as a private body, who alone or in conjunction with others, determines the purpose of and means for processing Personal Information. 3 PURPOSE This Policy promotes the protection of Personal Information and aims to regulate, in harmony with regulatory standards, the processing of Personal Information by the Company, as well as promotion of the right to privacy and regulation of the manner in which the Company processes Personal Information, in accordance with the requirements of the POPIA. 4 PRINCIPLES 4.1 This Policy applies to all the Company's operations and activities in South Africa and to the extent legally required in other jurisdictions. 4.2 The Company processes Personal Information of the individuals (natural persons) and corporate entities (juristic persons, such as companies, close corporations and trusts) with whom it works in order to operate and carry out its operations and activities (collectively referred to as "Persons"). 4.3 The Company regards the lawful and proper processing of Personal Information as crucial to successful service delivery and essential to maintaining confidence between the Company and those Persons who deal with it. 5 RIGHTS OF DATA SUBJECTS The Company will ensure that it makes Data Subjects aware of their rights, as appropriate and specifically with regards to the following: 5.1 The right to access Personal Information Data Subjects have the right to establish whether the Company holds Personal Information related to them, including the right to request access to that Personal Information. 5.2 The right to have Personal Information corrected or deleted Data Subjects also have the right to ask the Company to update, correct or delete their Personal Information on reasonable grounds. 5.3 The right to object to the processing of Personal Information Data Subjects have the right on reasonable grounds, to object to the processing of their Personal Information. The Company will consider such requests and the requirements of POPIA and may cease to process such Personal Information and may, subject to statutory and contractual record keeping requirements, also destroy the Personal Information. 5.4 The right to object to direct marketing Data Subjects have the right to object to their Personal Information being used for the purposes of direct marketing by means of unsolicited electronic communications. 5.5 The right to complain to the Information Regulator Data Subjects have the right to submit a complaint to the Information Regulator regarding infringements of any of their rights protected under POPIA and to institute civil proceedings against alleged non-compliance with the protection of their Personal Information. 5.6 The right to be informed Data Subjects have the right to be informed that their Personal Information is being collected by the Company and should also be notified in any situation where the Company reasonably believe that the Personal Information of Data Subjects has been accessed by unauthorised person/s. 6 GENERAL GUIDING PRINCIPLES All employees and persons acting on behalf of the Company will be subject to the following guiding principles: 6.1 Accountability Compliance failure could damage the reputation of the company and its shareholders. The Company could also be exposed to a civil claim for damages. The protection of Personal Information is therefore everybody's responsibility. The Company will take appropriate steps including disciplinary action against individuals who through intentional or negligent actions and/or omissions fail to comply with this Policy. 6.2 Processing limitation 6.2.1. The Company collects Personal Information directly from Data subjects only as pertains to business requirements. The type of information will depend on the need for which it is collected and will be processed for that purpose only. We will inform Data subjects as to what information is mandatory or deemed optional, as far as possible. Personal information will only be used for the purpose for which it was collected, intended and as agreed. This may include: 6.2.1.1. Creating and managing user accounts; 6.2.1.2. Providing access to app features and services; 6.2.1.3. Facilitating customer support and responding to inquiries; 6.2.1.4. Sending service-related notifications or updates; 6.2.1.5. Monitoring and improving the performance and security of the application; 6.2.1.6. Complying with legal obligations or regulatory requirements; 6.2.1.7. Conducting internal research and analytics to enhance user experience. 6.2.2.According to section 10 of POPIA, Personal Information may only be processed if the purpose for which it is processed, is adequate, relevant and not excessive. Certain conditions must be met for the Company to process Personal Information as in section 11 of POPIA. These are listed below: (a) Data Subjects consent to the processing - consent is obtained during early stages of the relationship; (b) Processing is necessary - Personal Information is required to facilitate the provision of services to the Data Subject or for the conclusion of a contract to which the Data Subject is a party; (c) The Company is under obligation by law; (d) The legitimate interest of the Data Subject is protected - it is in their best interest to provide the Personal Information; and (e) Processing is in the best interest of the Company - in order to provide our services to the Data Subject. 6.2.3. The Company does not knowingly collect or process personal information of children under the age of 18 without the express consent of a competent person, as defined under POPIA. By providing such information, the competent person confirms that they have the legal authority to consent to the processing of the child’s personal information. 6.2.4. The Company reserves the right to request proof of parental or guardian consent at any time and may suspend or restrict access to the application if such consent is not verified. 6.2.5. Competent persons may exercise the rights of access, correction, deletion, and objection to processing on behalf of the child, in accordance with POPIA. 6.2.6. The Company implements appropriate technical and organisational measures to protect the personal information of children from unauthorised access, disclosure, or misuse. 6.3 Further processing limitation Personal Information will not be processed for a secondary purpose unless that processing is compatible with the original purpose. Where the secondary purpose is not compatible with the original purpose, the Company will first obtain additional consent from the Data subject. 6.4 Information quality The Company will take reasonable steps to ensure that all Personal Information is complete, accurate and not misleading. Where Personal Information is collected from third parties, the Company will take reasonable steps to ensure that the information is correct by verifying the accuracy of the information directly with the Data Subject or by way of independent sources. 6.5 Security safeguards Section 19 of POPIA requires the adequate protection of Personal Information that is held by the Company. The Company will continuously review security controls and processes to prevent unauthorised access and use of Personal Information. This POPIA Policy is effective as of 1 August 2025.
