Privacy Policy

HIREBRIGHT (PTY) LTD (“HIREBRIGHT”) Traiding as RAISINGBRIGHTNESS

DATA PRIVACY POLICY FOR CUSTOMERS

DATE REVIEWED: 21 JUNE 2021

1. Definitions

1.1 “Customer”/”you” means a customer of RaisingBrightness that subscribes for the Services in terms of an agreement between RaisingBrightness and the Customer (with “your” indicating possession);

1.2 "Customer Data" means the data inputted by the Customer, authorised users, or RaisingBrightness on the Customer's behalf for the purpose of using the Services or facilitating the Customer's use of the Services, which may include Personal Information;

1.3 "Data Protection Legislation" means any applicable data protection or privacy laws applicable in South Africa, including the Protection of Personal Information Act, 4 of 2013 (“POPIA”).

1.4 “Data Subjects" means, for purposes of this policy, the Customer's affiliates, clients, staff and any other person/s to whom Personal Information relates;

1.5 “Electronic Communication” means any text, voice, sound or image message sent over an electronic communications network, which is stored in the network or in the recipient’s terminal equipment until collected by the recipient;

1.6 “Operator” means a person who Processes Personal Information for the Responsible Party in terms of a contract or mandate, without coming under the direct authority of the Responsible Party, in this instance being RaisingBrightness;

1.7 “Personal Information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

1.7.1 information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

1.7.2 information relating to the education or the medical, financial, criminal or employment history of the person;

1.7.3 any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

1.7.4 the biometric information of the person;

1.7.5 the personal opinions, views or preferences of the person;

1.7.6 correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

1.7.7 the views or opinions of another individual about the person; and

1.7.8 the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

1.8 “Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including—

1.8.1 the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, system testing or use;

1.8.2 dissemination by means of transmission, distribution or making available in any other form by electronic communications or other means; or

1.8.3 merging, linking, blocking, degradation, erasure or destruction;

and “Process” or “Processes” has a corresponding meaning;

1.9 “Regulator” means the appropriate Regulator as defined in applicable Data Protection Legislation;

1.10 “Responsible Party” means the person who, alone or in conjunction with others, determines the purpose of and means for Processing Personal Information, and who is also the Customer;

1.11 “Services” means any type of services provided by RaisingBrightness to the Customer in terms of an agreement.

2. Introduction and Roles

2.1 In the course of RaisingBrightness providing Services to the Customer, there is a likelihood that RaisingBrightness will receive, be exposed to and/or Process the Personal Information of the Data Subjects.

2.2 This Privacy Policy aims to give you information on how RaisingBrightness collects and processes your personal data through any form of your engagement with RaisingBrightness such as your engagement with us when contracting or corresponding with us, when using our Services, accessing or using our Website, or providing us with your or third party personal data in any other way.

2.3 This Privacy Policy also mirrors how we have designed our data security and protections at RaisingBrightness along the fundamental pillars of Accountability, Minimality, Transparency and Fairness. Everything we do relating to data processing is with “Privacy by Design” and “Privacy by Default” as its foundation.

2.4 We have appointed an Information Officer (“IO”) at RaisingBrightness who is responsible for overseeing questions and any other matters in relation to this Privacy Policy or data processing at RaisingBrightness. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights with RaisingBrightness, please contact the IO using the details set out below.

2.4.1 Our full details are:

▪ Full name of legal entity: Hirebright (Pty) Ltd. Traiding as RaisingBrightness

▪ Name or title of data representative: Yolanda Grobler

▪ Email address: info@raisingbrightness.co.za

2.5 You have the right to make a complaint at any time to your territories’ specific to South African (such as the Information Regulator’s Office of South Africa). We would, however, appreciate the chance to deal with your concerns before you approach any such regulator, so please contact us in the first instance.

2.6 It is important that the personal data we hold about you is accurate and current. Please update your personal data by contacting us directly and keeping us informed if your personal data changes during your relationship with us. We may also periodically contact you to confirm whether your personal data held by us is still correct and up to date.

2.7 We will also notify you should our Privacy Policy or processing operations materially change, by sending you a privacy notice capturing the changes, as well as what you can do to find out more information related thereto.

2.8 We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Service feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

2.9 Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services or allow you to provide us with your services). In this case, we may have to cancel Website-access or Services you have with us, but we will notify you if this is the case at the time

3. Obligations of RaisingBrightness and the Customer with regard to Customer Data

3.1 RaisingBrightness shall, in providing the Services, comply with this Data Privacy Policy relating to the privacy and security of the Customer Data.

3.2 If RaisingBrightness Processes any Personal Information on the Customer's behalf when performing its obligations under the agreement with the Customer, it is recorded that the Customer shall be the Responsible Party as defined in applicable Data Protection Legislation.

3.3 The Customer shall have an obligation to ensure that the Customer is entitled to transfer the relevant Personal Information to RaisingBrightness so that RaisingBrightness may lawfully use, Process and transfer the Personal Information in accordance with its agreement with the Customer on the Customer's behalf.

3.4 The Customer is furthermore required to ensure that the relevant third parties have been informed of, and have given their consent to, such use, Processing, and transfer as required by all applicable Data Protection Legislation.

3.5 RaisingBrightness shall Process the Personal Information only in accordance with the terms of its agreement with the Customer and any lawful instructions reasonably given by the Customer from time to time. In this regard and to guide RaisingBrightness, as the Operator, with regard to the Processing of Personal Information, which may form part of the Customer Data, the Customer, as the Responsible Party, will be required to complete the information schedule attached hereto as Annexure A. It will be the responsibility of the Data Custodian, as defined in the RaisingBrightness Information Security Policy, to ensure that the Customer completes Annexure A, that the completed Annexure A is stored in a dedicated folder and that the data scope identified by the Customer is adhered to.

3.6 RaisingBrightness shall not otherwise modify, amend or alter the contents of such Personal Information or disclose or permit the disclosure of such Personal Information to any third party, unless specifically authorised to do so by the Customer. Customer authorisation for disclosure to third parties should be issued in accordance with the Data Processing Agreement SOP.

3.7 The Customer Data received by RaisingBrightness shall be hosted by a third-party service provider of RaisingBrightness’s choice.

3.8 RaisingBrightness acknowledges that the Customer Data is the confidential information of the Customer. In terms of the RaisingBrightness Information Security Policy, the Customer Data will be classified as being secret with only authorised RaisingBrightness staff allowed access to the Customer Data.

3.9 RaisingBrightness shall assist the Customer to comply with any requests for access to Personal Information received by the Customer from Data Subjects and, at the request of the Customer, RaisingBrightness shall provide the Customer with a copy of any Personal Information held by RaisingBrightness in relation to a specified Data Subject. RaisingBrightness reserves the right to levy the prescribed fee to adhere to such requests from the Customer. RaisingBrightness agrees that notwithstanding the confidentiality provisions of the agreement between RaisingBrightness and the Customer, the Customer may disclose to a Data Subject that RaisingBrightness has been or is involved in Processing such Data Subject's Personal Information.

3.10 RaisingBrightness shall under instruction and authority of the Customer, provide it with all assistance required for the Customer to discharge its duties as Responsible Party relating to a requirement by the Regulator (a) for the Customer as Responsible Party to submit an independent auditor’s report or other information relating to interference by the Responsible Party with the Personal Information of a Data Subject, (b) that the Customer is processing Personal Information in accordance with legislation, or (c) that the Customer is otherwise compliant with any other relevant legislation. RaisingBrightness reserves the right to levy an administration fee to provide the assistance to the Customer as provided for in this paragraph.

3.11 RaisingBrightness shall, at the request of the Customer, return or destroy all Personal Information in the possession or control of RaisingBrightness, including in accordance with any specific retention, destruction and purging requirements as may be prescribed by the Customer. RaisingBrightness reserves the right to levy an administration fee to the Customer to comply with a request as per this paragraph.

3.12 As noted, the Personal Information of a Data Subject shall be labelled as secret information, as provided for in the RaisingBrightness Information Security Policy, and shall be Processed and handled by RaisingBrightness accordingly. Any Processing of Personal Information for the Customer shall be conducted separately from Personal Information, data and property relating to RaisingBrightness or any third party and may not be combined or merged with information of another party.

4. Security

4.1 Both RaisingBrightness and the Customer shall take appropriate technical and organisational measures to ensure that all Personal Information communicated, including, without limitation, any digital communication or any Personal Information stored in digital form shall be secured against being accessed or read by unauthorised parties, using appropriate security safeguards, having due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

4.2 In particular, RaisingBrightness ensures that all Personal Information is labelled as secret information and will be stored in a secure location, as provided for in the RaisingBrightness Information Security Policy.

4.3 We employ and protect all data with SSL encryption and other security measures to ensure that your data is protected and safe. Please be advised that while we take extra measures to protect your data and the integrity of your information, we cannot guarantee that our security measures will prevent unauthorized access from occurring. Please take the proper steps to maintain the security of your account information. We highly recommend that you set a strong password for your registered account with RaisingBrightness to ensure others from easily guessing your password.

4.4 Passwords are encrypted before being written to the database. This means that there are never plaintext passwords stored in the database. Passwords cannot be retrieved, only reset, to protect privacy at the highest level.

4.5 Our database has several layers of encryption security. Complex logic has been developed and deployed to detect malicious activity with swift banning implementation to prevent any hacking attempts. Beyond this, we do not disclose our private security measures.

5. Notification of a Personal Information Security Breach

5.1 RaisingBrightness shall notify the Customer in writing, immediately, if possible, but as

soon as reasonably possible after becoming aware of or suspecting any unauthorised

or unlawful use, disclosure or processing of Personal Information, taking into account

the legitimate needs of law enforcement or any measures reasonably necessary to

determine the scope of the compromise and to restore the integrity of the Operator’s

information system - and comply with the following -

5.1.1 take all necessary steps to mitigate the extent of the loss or compromise of Personal Information and to restore the integrity of the affected information systems as quickly as possible;

5.1.2 furnish the Customer with details of the Data Subjects affected by the compromise and the nature and extent of the compromise, and if known, include details of the identity of the unauthorised person who may have accessed or acquired the Personal Information;

5.1.3 provide the Customer with a report on its progress in resolving the compromise at reasonable intervals but at least once per week following the initial notification to the Customer, until such time as the compromise is resolved;

5.1.4 in consultation with the Customer and where required by law notify the South African Police Service; and/or the National Intelligence Agency; and

5.1.5 only upon request by the Customer, or otherwise if required by law, notify the Regulator and/or the affected Data Subjects. Any such notification shall be in a form prescribed by the Customer or the Regulator, as the case may be, if applicable, and contain such information as is specified by the Customer and or the Regulator. Notwithstanding the aforegoing, a notification to a Data Subject shall always include sufficient information to allow the Data Subject to take protective measures against the potential consequences of the compromise;

5.2 In this regard, RaisingBrightness will follow the process as detailed in the RaisingBrightness Incident Management Policy.

6. Disclosure required by law

6.1 In the event that RaisingBrightness is required to disclose or Process any Personal Information required by law, regulation or court order, or if the Processing of such Personal Information is required to enable a public body to properly perform a public law duty to carry out actions for the conclusion or performance of a contract to which the Data Subject is a party, is necessary for pursuing the legitimate interests of the Customer, a third party to whom the information is supplied, or a Data Subject, or complies with an obligation imposed by law on the Customer, RaisingBrightness –

6.1.1 will advise the Customer thereof prior to disclosure, if possible. If prior

disclosure is not possible, RaisingBrightness shall advise the Customer

immediately after such disclosure;

6.1.2 will take such steps to limit the extent of the disclosure or Processing in sofar

as it reasonably practically and legally can;

6.1.3 will afford the Customer a reasonable opportunity, if possible and permitted,

to intervene in the proceedings; and

6.1.4 will comply with the Customer's requests as to the manner and terms of any

such disclosure or Processing, if possible and permitted.

7. Transfer of Personal Information

7.1 Personal Information will be stored in the Republic of South Africa and The United Stated of America due to the video platform being used by RaisingBrightness

8. Retention and Destruction requirements

RaisingBrightness shall be required to comply with the destruction and retention policies of the Customer as are either set forth in the agreement between RaisingBrightness and the Customer or as may be communicated to RaisingBrightness. In particular, RaisingBrightness shall store all Personal Information which it Processes for the minimum time periods as are stipulated by the Customer and shall be required to destroy all Personal Information relating to the Data Subjects in compliance with the destruction time periods and in accordance with the Customer’s specified destruction procedures and methodology. RaisingBrightness reserves the right to levy an administration fee to the Customer to comply with the Customer requirements in this regard. We will keep data for up to 30 days after your account is deleted. After the 30 days all personal data will be fully removed from our system.

9. Direct marketing

9.1 All Data Subjects have the right to object to their Personal Information being Processed for the purposes of direct marketing by Electronic Communication.

9.2 Direct marketing is, however, permitted if the Data Subject is an existing Customer of RaisingBrightness and RaisingBrightness has obtained his or her details through the sale of a product or service or where the marketing communication is for the purpose of directly marketing similar products or services of RaisingBrightness and the Data Subject has been given the opportunity to object, free of charge and without unnecessary formality, to the use of his or her Personal Information at the time of collection and on each occasion of direct marketing (unless consent has already been refused).

9.3 Should an existing Customer of RaisingBrightness require that RaisingBrightness send marketing communications to the Customer’s clients, the obligation will be on the Customer to obtain the required consent from its clients in this regard and as provided for in the relevant Data Protection Legislation.

10. Email notices

10.1 When you register to use our services or purchase products from a vendor using our services, your email will automatically be listed in the RaisingBrightness mailing list. You will receive welcome information, account information, and other marketing related information related to our services, as well as the products you viewed and purchased. You may also receive periodic emails from us notifying you of new features, products, titles and other related information pertaining to our services.

10.2 You may choose to opt out of receiving emails from us, but if you choose to do so, you will not receive technical support requests, account updates and notifications, product updates, security updates or updates to our Privacy Policy.

10.3 If you forget your account information, you may log back onto RaisingBrightness’ website and click “forgot login” on the login area screen. A password reset link will then be emailed to you with further steps to reset your account information.

ANNEXURE A

INFORMATION SCHEDULE TO BE COMPLETED BY THE CUSTOMER

Customer name: _______________________________________________

Services provided by RaisingBrightness Personal Information to be Processed by RaisingBrightness per Service Would any of the Personal Information be subject to the GDPR? Specific retention requirements and security measures

Destructions requirements

Retention Requirements Security Measures