POPIA Policy

Who We Are — The Responsible Party

Under POPIA, the entity that determines the purpose and means of processing personal information is called the responsible party. Global Pact Trading is the responsible party in respect of all personal information collected through our website, our business operations and our interactions with customers, suppliers and partners.

What POPIA Means & Why It Matters

The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa's primary data protection legislation. It came into full effect on 1 July 2021 and regulates how public and private bodies may collect, use, store, share and destroy personal information.

POPIA was enacted to protect the constitutional right to privacy of individuals in South Africa. It establishes minimum standards for the responsible handling of personal information and gives individuals (data subjects) enforceable rights over their personal information.

Global Pact Trading is committed to complying with POPIA in all aspects of our business. We have implemented policies, procedures and technical measures to ensure that personal information in our possession is processed lawfully, fairly, responsibly and securely.

The Eight Conditions for Lawful Processing

POPIA sets out eight conditions that must be satisfied for the processing of personal information to be lawful. Global Pact Trading is committed to upholding all eight conditions in our operations:

Personal Information We Collect

We collect the following categories of personal information in the course of operating our business:

Identification & Contact Information

• Full name, email address, phone number
• Physical and postal address (billing and delivery)
• Company name and business registration details (for trade accounts)

Transaction & Financial Information

• Order history, product selections and purchase amounts
• Payment method type (we do not store full card numbers)
• Invoice and receipt records

Technical & Usage Information

• IP address, browser type, device information
• Pages visited, time on site, links clicked
• Cookie identifiers and session data

Communication Records

• Messages sent via our contact form or email
• WhatsApp and phone call records (where relevant)
• Product reviews and feedback submitted

Lawful Basis for Processing

Under POPIA, we must have a lawful justification (ground) for processing personal information. We rely on the following grounds depending on the nature of the processing:

• Consent: Where you have voluntarily provided your consent — for example, to receive our newsletter or marketing communications. You may withdraw consent at any time.
• Contractual necessity: Where processing is necessary to fulfil a contract with you — for example, processing your order, arranging delivery and managing your customer account.
• Legal obligation: Where we are required to process your information to comply with a legal obligation — such as maintaining financial records for tax purposes under the Income Tax Act or the VAT Act.
• Legitimate interest: Where processing is necessary for our legitimate business interests, provided these do not override your rights and freedoms — for example, fraud prevention, website security and service improvement.
• Vital interest: In exceptional circumstances, where processing is necessary to protect your vital interests or those of another person.

How We Use Your Personal Information

We process personal information only for the purposes for which it was collected and for compatible purposes. Specific uses include:

• Processing and fulfilling your product orders and managing returns or refunds
• Creating and managing your customer or trade partner account
• Communicating with you about your orders, enquiries and account
• Sending marketing communications where you have consented or where permitted under POPIA
• Analysing website usage to improve our platform and product offering
• Complying with legal and regulatory requirements including tax, POPIA and consumer protection laws
• Detecting, investigating and preventing fraudulent or unauthorised activity
• Processing trade partner applications and managing the partner programme

We will not use your personal information for any purpose that is incompatible with the original purpose of collection without obtaining your consent or having another lawful ground to do so.

Who We Share Your Information With

We do not sell or rent your personal information to any third party. We share personal information only in the following circumstances and only to the extent necessary:

• Courier and logistics partners: Your name, address and contact number are shared with our delivery service providers to fulfil your order
• Payment processors: Payment gateway providers receive your payment information to process transactions securely
• Email and communication service providers: We use third-party platforms to send transactional and marketing emails on our behalf
• Website hosting and IT providers: Our hosting provider has access to data stored on our servers in the ordinary course of providing hosting services
• Legal and regulatory authorities: Where we are required to disclose information by law, court order or lawful request from a government authority

All third-party operators who process personal information on our behalf are required to maintain appropriate data protection measures and to use personal information only for the purposes we specify, in compliance with POPIA.

Cross-Border Transfers

Some of our third-party service providers may be located outside South Africa. Where personal information is transferred to a third country, we ensure that:

• The recipient country has adequate data protection laws in place, or
• The recipient has agreed to comply with POPIA-equivalent data protection obligations through contractual clauses or binding corporate rules, or
• You have consented to the transfer

We take reasonable steps to ensure that personal information transferred outside South Africa receives equivalent protection to that provided under POPIA.

How We Protect Your Information

We implement appropriate technical and organisational security measures to protect personal information in our possession against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include:

• SSL/TLS encryption for all data transmitted through our website
• Secure, industry-standard website hosting infrastructure
• Role-based access controls limiting who can access personal information internally
• Regular security assessments and software updates
• Staff awareness of data protection responsibilities
• Secure destruction or anonymisation of personal information when it is no longer needed

While we take all reasonable precautions, no system is completely immune to security risks. We cannot guarantee absolute security but we will respond promptly and responsibly to any security incident.

How Long We Keep Your Information

We retain personal information only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. Our retention periods are:

• Order and transaction records: 5 years (South African tax legislation)
• Customer account information: Duration of account activity plus a reasonable period after closure
• Marketing records: Until consent is withdrawn or you unsubscribe
• Contact enquiries: Up to 2 years, unless needed to resolve an ongoing matter
• Website analytics data: Up to 26 months in anonymised form

At the end of the applicable retention period, personal information will be securely deleted, destroyed or anonymised so that it can no longer be attributed to you.

Special & Sensitive Personal Information

POPIA affords additional protection to certain categories of personal information considered particularly sensitive. These include:

• Religious or philosophical beliefs
• Race or ethnic origin
• Trade union membership
• Political opinions
• Health or medical information
• Sexual orientation or sex life
• Criminal behaviour or biometric information

Global Pact Trading does not intentionally collect any special categories of personal information in the ordinary course of our business. If such information is provided to us incidentally, we will treat it with the highest level of care and will only process it where we have an explicit lawful ground to do so under POPIA.

Your Rights as a Data Subject

POPIA grants you the following rights in respect of your personal information held by Global Pact Trading:

• Right to access: You may request confirmation of whether we hold personal information about you and request a copy of that information
• Right to correction or deletion: You may request that we correct inaccurate information or delete personal information we no longer have a lawful basis to retain
• Right to object to processing: You may object to the processing of your personal information, in particular for direct marketing purposes. We must then cease processing for that purpose
• Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal
• Right not to be subject to automated decision-making: You have the right not to be subject to decisions taken solely on the basis of automated processing, where such decisions have a significant impact on you
• Right to complain: You have the right to submit a complaint to the Information Regulator of South Africa if you believe your rights under POPIA have been violated

How to Exercise Your Rights

To exercise any of your rights under POPIA, please submit a written request to our Information Officer using the contact details below. Please include sufficient information to identify yourself and to describe the right you wish to exercise.

We will acknowledge your request within 5 business days and aim to resolve it within 30 days. In complex cases, we may extend this period by a further 30 days and will notify you accordingly.

We may need to verify your identity before processing your request to ensure we do not disclose personal information to an unauthorised person.

If you are dissatisfied with our response, you have the right to escalate your complaint to the Information Regulator:

Data Breach Notification

In the event of a security compromise that involves personal information, we will take the following steps in accordance with POPIA Section 22:

• Notify the Information Regulator of the breach as soon as reasonably possible after becoming aware of it
• Notify affected data subjects where the breach is likely to result in harm to them — unless such notification would impede a criminal investigation
• Investigate the breach, contain the damage and implement measures to prevent recurrence
• Maintain a record of all security breaches, including those that do not require notification

We take data breaches extremely seriously and have incident response procedures in place to ensure a prompt, organised and responsible reaction to any security incident.

Information Officer

POPIA requires every responsible party to designate an Information Officer to oversee compliance with the Act. The Information Officer of Global Pact Trading is responsible for:

• Encouraging compliance with POPIA within the organisation
• Dealing with requests made by data subjects
• Working with the Information Regulator in relation to investigations
• Ensuring that a POPIA compliance framework is developed and maintained

Updates to This Policy

We may update this POPIA Policy from time to time to reflect changes in our practices, legal requirements or operational changes. The most recent version will always be available on our website. The "Last Updated" date at the top of this page will reflect the date of the most recent revision.

We encourage you to review this policy periodically. For significant changes, we will notify registered users by email where reasonably practicable.