POPIA Compliance Notice

Hanani Project Management Solutions (Pty) Ltd ("hanani") is committed to full compliance with the Protection of Personal Information Act 4 of 2013 (POPIA), which came into full effect on 1 July 2021. POPIA gives effect to the constitutional right to privacy by regulating the processing of personal information. We take this obligation seriously and have implemented policies, procedures, and technical controls to ensure that personal information in our care is processed lawfully, fairly, and transparently.

In terms of section 55 of POPIA, hanani has designated an Information Officer responsible for overseeing compliance with POPIA and handling data subject requests. Information Officer: The Director, Hanani Project Management Solutions (Pty) Ltd Email: [email protected] Phone: +27 (0)12 996 1932 Address: 17 Beau Art Crescent, Mooikloof Estates, Mooikloof, Pretoria, Gauteng, 0081 Our Information Officer has been registered with the Information Regulator of South Africa as required by POPIA.

We process personal information only when at least one of the following conditions is met (as required by POPIA Chapter 3): Accountability: We take responsibility for all personal information in our possession and implement appropriate measures to ensure compliance. Processing Limitation: We collect personal information only for a specific, explicitly defined, and lawful purpose related to our platform's functions. Purpose Specification: Personal information is collected for a defined purpose and not retained longer than necessary. Further Processing Limitation: Personal information is not processed in a manner incompatible with the purpose for which it was collected. Information Quality: We take reasonable steps to ensure that personal information is complete, accurate, and up to date. Openness: We maintain this POPIA notice and our Privacy Policy to inform data subjects of our processing activities. Security Safeguards: We implement appropriate technical and organisational measures to protect personal information. Data Subject Participation: We respect and facilitate the rights of data subjects to access, correct, and delete their personal information.

POPIA places additional restrictions on the processing of "special personal information" — categories of information that carry heightened sensitivity. On the hanani platform, we may process the following special categories where necessary and with appropriate safeguards: • Race or ethnic origin (for Employment Equity Act reporting purposes, with employer consent) • Health or medical information (only where disclosed voluntarily by a job seeker) • Criminal behaviour (background check results, processed only with the data subject's explicit consent) • Biometric information (SA ID number used for DHA identity verification only) We process special personal information only with the explicit consent of the data subject, or where permitted by law.

Where we rely on consent as the lawful basis for processing, we obtain it through a clear, affirmative action at the point of registration. Our consent mechanism: • Is presented in plain language • Is separate from other terms and conditions • Specifies the purpose of processing • Is freely given and can be withdrawn at any time To withdraw consent, email [email protected] with the subject line "Withdraw POPIA Consent". Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal, and may limit your ability to use certain platform features.

Under POPIA, you have the following rights as a data subject: Right of Access (Section 23): You may request confirmation of whether we hold your personal information and a copy of that information. Right to Correction (Section 24): You may request that we correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully. Right to Object (Section 11(3)): You may object to the processing of your personal information on reasonable grounds. Right to Complain: You may lodge a complaint with the Information Regulator if you believe we have violated POPIA. To exercise any of these rights, submit a written request to [email protected] with the subject line "POPIA Data Request". We will acknowledge your request within 3 business days and respond fully within 30 days.

Where personal information is transferred to a third party in a foreign country (for example, cloud hosting services), we ensure that the recipient is subject to a law, binding corporate rules, or a binding agreement that provides an adequate level of protection substantially similar to POPIA, as required by section 72 of POPIA.

Where we engage third-party operators to process personal information on our behalf (such as payment processors, verification services, and cloud providers), we enter into written operator agreements that: • Prohibit the operator from processing information without our authorisation • Require the operator to implement appropriate security measures • Require the operator to notify us immediately of any security compromise

We maintain a comprehensive information security programme that includes: • Encryption of personal information in transit (TLS/HTTPS) and at rest • Access controls and role-based permissions • Regular security assessments and vulnerability testing • Incident response procedures • Staff training on data protection obligations In the event of a security compromise that may affect your personal information, we will notify you and the Information Regulator as required by section 22 of POPIA.

If you are not satisfied with our response to a POPIA-related request or complaint, you have the right to lodge a complaint with the Information Regulator of South Africa: Information Regulator (South Africa) Website: www.inforegulator.org.za Email: [email protected] Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

We review and update this POPIA Compliance Notice periodically to reflect changes in our processing activities, applicable law, or regulatory guidance. The "Last updated" date at the top of this page indicates when the most recent revision was made.