PRIVACY NOTICE

—

DATA PRIVACY AND PROTECTION

This clause applies to the processing by the Company of all Personal Data of its Users relating to the use of the Services. It is applicable in circumstances where we act as a data controller, which for the purposes of this Privacy Notice, includes where we act as a “Responsible Party” in terms of POPIA (“Data Controller”). In other words, it applies to circumstances in which we determine the purposes and means of processing Personal Data.

1. Types of Personal Data

At any time, we may collect, store, and use Personal Data including your full name, contact information, identity/passport details, financial information, age, credit information, address, username, password, login details and other Personal Data necessary for us to comply with any legal obligations and/or required for legitimate business purposes.

2. Obtaining your Personal Data

Your Personal Data is –

2.1 provided to us by you through the use of our Services; and/or

2.2 created by us in the course of your usage of our Services.

3. Purposes for which your Personal Data is processed

Your Personal Data is processed in order for us to provide the Services and perform any actions incidental thereto, including but not limited to purposes such as regulatory compliance, marketing, general communication, trade, complaints, feedback, customer verification, record maintenance, security purposes, human resources, and/or finance functions, among others.

4. Lawful bases for processing

The lawful bases which we rely upon in order to process your Personal Data include: consent; performance of a contract, compliance with a legal obligation, protection of the vital interests of a data subject, legitimate interest of Koin and/or a third party, among other reasons.

5. Access to your Personal Data by our Personnel

For the purposes of maintaining and managing a centralized user database, ensuring general governance, safety, and security, and for support (including regarding IT), your Personal Data will only be shared with and processed by Personnel that –

5.1. need to know the information in order to process it on yours and our behalf; and

5.2. have agreed in writing to non-disclosure restrictions at least as strong as those herein.

6. Access to your Personal Data by third parties or Data Processors

When a third party processes your Personal Data for or on behalf of the Company in terms of a contract or mandate it acts as a Data Processor. In line with the requirements of the Applicable Laws, we enter into an agreement with such Data Processors for the processing of Personal Data on our behalf. In such circumstances, we use our best endeavours to ensure that the Data Processor established and maintains reasonable technical and organisational measures to secure your Personal Data.

7. Retention

7.1. We do not retain your Personal Data any longer than is necessary for us to achieve the purpose for which the Personal Data is processed. We will only retain your Personal Data for so long as we have a lawful basis for doing so. In this context, we may keep your Personal Data for as long as your account is active and/or as is necessary for us to provide you with our Services in line with the purposes set out above.

7.2. If we are subject to any statutory retention periods, we will retain your Personal Data for the period specified by the law in question. The statutory retention period may vary depending on the type of data and the jurisdiction in question.

7.3. Notwithstanding the above, we may retain such Personal Data as is necessary for us to demonstrate that we have complied with our obligations above and for the length of any applicable limitation period for claims that might be brought against us.

7.4. In certain circumstances, we may anonymize (or de-identify) your Personal Data such that it can no longer be used to identify you, in which case we may use such Personal Data indefinitely and without further notice to you.

8. The Company will not sell or hire out the User’s personal data to third parties for marketing purposes. The Company uses this information solely and exclusively in the manner described in these Terms and Conditions.

9. Storage of Personal Data

9.1. Your Personal Data is stored securely on Google and Amazon Web Services servers, with physical copies of such Personal Data stored in Belgium and/or Dubai.

9.2. By making use of our Services, you are expressly and specifically consenting to the transfer of your Personal Data in accordance with these Terms and Conditions.

10. Security

The Company has implemented appropriate technical, physical, and organisational measures to ensure the confidentiality, security, and integrity of your Personal Data and guard against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure, or access, and against all other forms of unlawful processing (including, but not limited to unnecessary collection) or further processing. In the event of a data breach, we shall notify you and the relevant supervisory authority in accordance with the time periods and requirements (and subject to any qualification) set out in the Applicable Laws.

11. Rights of Data Subjects

11.1. In addition to your rights relating to notification, communication, modalities for exercise, and transparency of information, you have the right to request access to your Personal Data, the right to have your Personal Data rectified or erased, the right to request the restriction of processing of your Personal Data, the right to data portability, the right to object to the processing, and the right to lodge a complaint, among others. It is important to bear in mind that many of these rights are not absolute and are subject to certain exceptions in law.

11.2. Below, we set out your rights in further detail and provide you with information as to how you may exercise these rights. Subject to any relevant period specified in the Applicable Laws, we will endeavour to respond to requests made pursuant to the exercise of your rights within one month but reserve the right to extend such period to two months if required. If we extend such period beyond one month, we will notify you as soon as reasonable possible.

11.3. Access: you are entitled to ask us if we hold and/or are processing your Personal Data and, if so, you may ask us to access a copy of your Personal Data. This enables you to receive a copy of the Personal Data we hold about you and to decide for yourself as to whether we comply with our obligations in terms of the Applicable Laws. If your request is clearly unfounded, excessive and/or unreasonable we reserve the right to charge a reasonable fee or refuse to comply with your request in such circumstances.

11.4. Correction: you are entitled to request that any incomplete or inaccurate Personal Data we hold about you be corrected.

11.5. Erasure: you are entitled to ask us to delete or remove Personal Data in certain circumstances. There are certain exceptions in which we may refuse a request for erasure, for example, where the Personal Data is required for us to comply with a legal obligation or in connection with the establishment, exercise, or defence of legal claims. As indicated elsewhere in this Privacy Notice, if we are asked to delete your Personal Data, we may retain such information as is necessary in order for us to demonstrate that we have complied with our obligations.

11.6. Restriction: you are entitled to ask us to suspend the processing of your Personal Data, for example if you would like us to confirm the veracity thereof or the reason for processing it.

11.7. Data portability: you may request the transfer of a copy of certain of your Personal Data to you or another party (if technically feasible). You have the right to ask that we provide your Personal Data in an easily readable format to another company.

11.8. Objection: where we are processing your Personal Data based on our legitimate interest, you may object to processing on this ground. However, it is important to note that the Applicable Laws may entitle us to continue processing your Personal Data based on our legitimate interests.

11.9. File a complaint: to the extent that you allege that there has been an interference with the protection of your Personal Data, you may file a complaint with the relevant supervisory authority, as set out below.

11.10. Marketing preferences: we may send you marketing communications about our services, via different channels such as phone, SMS, and third-party social networks, in accordance with the relevant marketing laws. When required by any Applicable Laws, we will obtain your consent before commencing with these activities and will cease to do so when you opt-out of such marketing by following the instructions in those communications or by emailing us at: office@koininternational.com. In such cases, we may retain minimum Personal Data to demonstrate that you have opted out so as to avoid contacting you again. Please note that even if you opt-out from receiving marketing communications, we may still send you administrative communications, such as technical updates for our Services, order confirmations, notifications about your account activities, and other important notices.

12. Cross-border transfer of Personal Data

Personal Data that we collect from you may be transferred to and stored at a destination outside of South Africa, Belgium or UAE (the “Relevant Jurisdictions”) Your Personal Data may also be processed by personnel operating outside of the Relevant Jurisdictions who work for us or for one of our Data Processors. We will ensure reasonable technical and organisational measures are in place, in accordance with any Applicable Laws, so as to protect the privacy and integrity of your Personal Data in such circumstances. We will ensure that the third-party recipient of the Personal Data is subject to laws or an agreement with us which provides of the same level of protection to Personal Data as the Applicable Laws do. You can obtain information and a copy of documentation pertaining to the safeguards to which your Personal Information is subject to from the relevant Data Protection Officer (or Information Officer for the purposes of POPIA) at the details specified below.

13. Queries or requests for access, modification, rectification, erasure, restriction, data portability or objection

Should you have any other questions or queries regarding the processing of your Personal Data, or should you wish to exercise any of the applicable rights afforded to you in terms of the Applicable Laws, please contact our Data Protection Officer (or Information Officer for the purposes of POPIA) at office@koininternational.com. We will respond to your request as soon as practicable. We may request proof of identification to verify your request.

14. Lodging a data privacy complaint

14.1. If you have any complaint about the way we process your Personal Data, you may lodge a complaint with a supervisory authority in the country of your residence, where you work or where an alleged infringement of the Applicable Laws took place. For a list of the relevant EU supervisory authorities and their contact details, kindly contact us at office@koininternational.com .

14.2. With regard to South Africa, the relevant supervisory authority is the South African Information Regulator (the “Regulator”). Should you wish to file a complaint with the Regulator, you may do so in the prescribed manner and form. The Regulator’s email address is: complaints.IR@justice.gov.za. The Regulator is furthermore situated at JD House, 27 Siemens Street, Braamfontein, Johannesburg, 2001. You may also visit the Regulator’s website at www.justice.gov.za/inforeg for further information and to keep up to date with any data privacy developments in the context of South African law.

14.3. With regard to Belgium, further information is available on the website of the by the Belgian Commission for the Protection of Privacy (the “Commission”), Porte de Hal/Hallepoort, 5-8, 1060 Brussels. You may also visit the Commission’s website at www.privacycommission.be.

15. Pursuant to a special request by the User to this end, all his/her data will be removed from the Company’s databases.

16. As soon as a User registers and supplies his/her personal data, the User is no longer anonymous to the Company. The Company may request a User to provide contact and identification details, invoicing details and other personal data on the various forms spread over the website.

17. Where possible, the Company indicates what fields compulsorily have to be filled in and what fields are optional. The User may at any time elect not to supply information and opt not to use the Website or any services thereon including but not limited to the Sales Platform.

18. A registered User of the Website and Sales Platform hereby agrees to receive newsletters and updates from the Company. The User may at any time opt out of the Company’s mailing list by emailing office@koininternational.com.

19. The Company automatically traces certain information based on User behaviour on the Website. The Company uses this information for internal research into the demographic data of the Website users, their interests and behaviour, in order to gain a better understanding of the Website use and to be able to provide a better service.

20. When a User chooses to purchase goods on the Website, the Company collects data on the User’s bidding and purchasing behaviour. This includes the use of cookies to retrieve user details for each visit. Cookies are used in some areas of Website to enable the functionality of this area and ease of use for those people visiting

21. Subject to the privacy provisions of these Terms and the Applicable Laws, any material or information a User supplies shall be considered non-proprietary and not confidential.

—

[Updated: 28 June 2022]