Effective Date: September 2025

1. Introduction

This Privacy Policy explains how Harambe Solutions (Pty) Ltd (“Harambe,” “we,” “us,” or “our”) collects, uses, shares, and protects your personal information. We are committed to compliance with South African data protection laws, including the Protection of Personal Information Act 4 of 2013 (POPIA) and applicable provisions of the Electronic Communications and Transactions Act 25 of 2002 (ECTA), along with related legislation.

By using our Website or engaging our Services, you agree to the terms of this Policy. If you do not agree, please discontinue use of our Website and Services. This Policy applies to all individuals (“you” or “data subjects”) who interact with Harambe Solutions, whether through our Website, in person, via email, or through calls and video consultations.

2. Definitions

Client: Any person or entity engaging Harambe Solutions for legal, systems, advisory, or consulting services.

Personal Information: Any information about an identifiable individual (or where applicable, an identifiable juristic entity) as defined under POPIA. This includes standard personal information such as your name, identity or registration number, contact details (email, phone number, physical address), and information relating to your personal or business circumstances. It also includes special personal information (sensitive information) like details about your health or sex life, religious or philosophical beliefs, race or ethnic origin, trade union membership, criminal offenses, or biometric information (e.g. fingerprints, facial images from video calls). For example, if we record video consultations with you (with notice), the recording may capture your likeness or voice, which constitutes biometric personal information. We treat special personal information with extra safeguards and only process it as allowed by law (e.g. with your explicit consent or where strictly necessary).

Services: Any legal, compliance or systems support, consulting, design, advisory, or operational guidance we provide in the Cannabis, and natural and controlled substance markets.

Website: Our website located at www.harambesolutions.co.za, including any subpages and online features.

You: Any user, client, or website visitor who provides Personal Information to us or uses our Website or Services. In POPIA terms, you are the “data subject” with rights as described in this Policy.

Responsible Party: Harambe Solutions (Pty) Ltd, which determines the purpose and means of processing your Personal Information (equivalent to a “data controller”). We have appointed an Information Officer who oversees our data protection compliance.

Operator: A third-party service provider that processes Personal Information on our behalf (equivalent to a “data processor”). We ensure that any Operators we use adhere to strict data protection standards by contract (see Section 6).

3. Personal Information We Collect

We may collect and process various categories of Personal Information, which we obtain directly from you or through your use of our Services:

• Identification and Contact Details: Your name, surname, title, ID or passport number, company or registration number (if juristic person), and contact information such as email address, phone number, and physical or postal address.
• Client Background and Service Information: Information relating to your inquiries or engagements with us. For example, business or entity details if you represent an organization, details about your legal matters or compliance needs (including cannabis-related information you share with us as part of our services), and any objectives or preferences you communicate.
• Consultation Records: If you participate in consultations or meetings with us (whether in person, telephonically, or via video call), we may keep records of those interactions. This can include audio recordings, transcripts, or video recordings of online meetings (with prior notice and consent when required).
• Technical Data and Online Usage: When you use our Website, we automatically collect certain technical information: your Internet Protocol (IP) address, device and browser type, operating system, referring website, pages viewed, and how you interact with our Website (e.g. time spent, links clicked).
• Forms and Correspondence: Any Personal Information you provide by filling in forms on our Website (such as our contact form) or by corresponding with us (via email, phone, or otherwise). This includes inquiries you send us, feedback, or any additional information you choose to share. For instance, if you email us, we will collect your email address and the content of your message.

We do not intentionally collect information about children (persons under 18) as our services are aimed at adults in the professional context. We also do not typically collect special categories of personal data unless you volunteer it or it is necessary for our Services. In the event we need to handle special personal information, we will do so in accordance with POPIA’s stringent requirements (e.g. obtaining your explicit consent unless an exemption applies).

How We Use Your Information

We use and process Personal Information for the following purposes, in each case to the extent lawful and necessary:

• Service Delivery and Administration: To provide, personalize, and administer our legal, compliance, and consulting services.
• Contract Fulfillment: To prepare and enter into contracts or legal frameworks with you (or the entity you represent), and to perform our obligations under those contracts.
• Communication: To communicate with you and respond to your inquiries or requests. We will use your contact details to send administrative or service-related communications.
• Internal Record-Keeping and Operations: To manage our business operations and keep proper records. This covers maintaining records of consultations, advice given, agreements, invoices, payment records, and correspondence, monitor workloads, track the progress of matters.
• Legal Obligations and Regulatory Compliance: To comply with our legal obligations under South African law.
• Service Improvement and Analytics: To analyze trends and improve our website, services, and business strategies. We might use aggregated, de-identified information to compile statistics (e.g. the number of website visitors or common legal inquiries) and report on legal or market trends.
• Direct Marketing (Promotional Communications): [See Section 10 below for details on how we handle marketing]. If you are an existing client or if you have subscribed to our updates, we may use your contact information to send you newsletters, legal updates, invitations to events, or information about new services that might interest you in accordance with POPIA and ECTA requirements.
• Security and Risk Management: To protect our business, staff, clients, and networks. We may process certain personal data as needed to prevent fraud, address technical issues, and keep our services secure.

5. Legal Basis for Processing

Depending on the context, our processing of your data is justified on one or more of the following grounds:

• Consent: In cases where you have given us voluntary, informed, and specific consent for the processing, we will process your personal information on that basis. We process special personal information (e.g., biometric data in call recordings) only with your consent or where POPIA otherwise permits. You have the right to withdraw your consent at any time, and if you do so, we will stop the processing that relied on consent.
• Contractual Necessity: Where processing is necessary to enter into or perform a contract /project with you, we rely on this basis.
• Legal Obligation: We will process your personal information when we need to in order to comply with a legal obligation.
• Legitimate Interests: We may process information as necessary for our legitimate interests (or those of a third party), provided such processing does not unjustifiably infringe your rights or privacy. Our legitimate interests include inter alia providing high-quality, Cannabis (and other controlled substance) legal and advisory services, ensuring the security of our operations, and improving our services.

In certain instances, more than one legal basis may apply. For special personal information, we will generally require your explicit consent unless another condition in POPIA permits the processing.

6. Data Sharing & Disclosure

In the course of running our business and delivering Services, we may share your personal information with certain trusted parties, but only under these circumstances and safeguards:

• Authorized Service Providers (“Operators”): We may share data with third-party service providers that assist us in our operations and service delivery. These include, for example, cloud storage or IT infrastructure providers, email and collaboration platforms, data backup services, analytics tools, and professional advisors or consultants (such as partner law firms, specialist counsel, or technology experts) who work with us on your matter.
• Harambe Team and Affiliates: Your personal information will be accessed by our internal team on a need-to-know basis. Our employees and contractors are subject to confidentiality agreements and data protection training. We may share information with affiliated entities or partners if necessary for delivering our services
• Legal Requirements and Protection: We may disclose personal information where we are required by law or legal process to do so, or where we must do so to protect rights and safety.
• With Your Consent: We will share your personal information with third parties if you have given us explicit consent to do so for a specific purpose.
• Business Transfers: If Harambe Solutions undergoes a business transaction such as a merger, acquisition by another company, reorganisation, or sale of all or part of its assets, your personal information may be transferred as part of that transaction.

When we do share information, we follow the principle of data minimization – only the information reasonably necessary for the purpose will be disclosed.

7. Data Retention

We retain personal information for no longer than is necessary for the purposes for which it was collected or processed, unless a longer retention period is required or permitted by law. In practice:

• Operational Retention: We keep your information for as long as we maintain an active relationship with you and for a reasonable period thereafter.
• Legal and Regulatory Requirements: Certain laws may obligate us to retain data for a specified period.
• Record of Consultations and Contracts: We maintain internal records of consultations, advice given, contracts, and system implementations we have developed.
• Video/Audio Recordings: If we have recorded video calls or other communications with you, we will retain those recordings only as long as necessary for the purposes they were made. Typically, recorded consultations may be kept for review and note-taking, and transcripts securely saved, then ordinarily deleted after 6 months after the consultation), unless required to be kept longer for legal reasons or at your request.
• Deletion or Anonymization: Once personal information is no longer required for the purposes stated or to meet legal obligations, we will either securely delete or destroy it, or anonymize it

8. Security Measures

While no method of transmission or storage is 100% secure, we implement appropriate technical and organizational measures in line with industry best practices to prevent loss, damage, unauthorized destruction of, or unlawful access to your information.

• Encryption: We use encryption protocols where applicable to protect personal data. We also employ encryption for sensitive documents and communications.
• Secure Storage Systems: Personal information is stored on secure servers or cloud platforms that have data centers that meet international security standards.
• Access Control: We limit access to personal information strictly to authorized personnel who need it for business purposes. Each such individual has unique login credentials and is subject to authentication controls.
• Confidentiality Obligations: All Harambe Solutions employees, contractors, and any third-party providers with access to personal data must sign confidentiality and data protection agreements.
• Physical Security: For any physical records or devices, we implement physical safeguards.
• Maintenance and Testing: We regularly update our software, systems, and security protocols to address new threats.
• Incident Response: Harambe Solutions has a data breach response plan as required by POPIA. In the unlikely event of a security breach leading to unauthorized access or disclosure of your personal information, we will promptly investigate and take remedial action.

Your role: It is important to note that you should also take steps to safeguard your own information. Despite our best efforts, no security measure can offer absolute protection. If you have reason to believe that your interaction with us is no longer secure, please notify us immediately.

9. Your Rights Under POPIA

• Right of Access: You have the right to request access to the personal information we hold about you. Upon request, we will provide you with the relevant personal information, subject to any applicable fees, verifications or legal limitations.
• Right to Correction/Rectification: You have the right to ask us to correct or update any of your personal information that is inaccurate, out-of-date, incomplete, or misleading.
• Right to Deletion: You may request that we delete or destroy your personal information. We might not be able to delete data we are required to keep by law, but we will inform you of such situations.
• Right to Object to Processing: You have the right to object to the processing of your personal information under certain conditions, notably, for example, regarding direct marketing.
• Right to Withdraw Consent: Where we process your personal information based on your consent, you have the right to withdraw that consent at any time.
• Right to Data Portability: We support your ability to obtain and reuse your personal data.
• Right to Restriction of Processing: You have the right to ask us to temporarily restrict or suspend processing of your personal information in certain scenarios, for example, while we are verifying the accuracy or processability of the data you contest.
• Right to Lodge a Complaint: If you are not satisfied with our response to your complaint, you have the right to lodge a complaint with the Information Regulator you can contact the Information Regulator: Email – POPIAComplaints@inforegulator.org.za (for POPIA complaints). Phone – +27 (0)12 406 4818. Address – JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001.

To exercise any of your rights, please contact us with sufficient information for us to verify your identity (to prevent unauthorized access to data) and to locate information. We will respond to your request as soon as reasonably possible, and in any event within the timeframes required by law. Please note that we may charge a reasonable fee to cover administrative costs, as permitted by law.

10. Direct Marketing Communications

We strive to communicate with you in a manner that is respectful of your preferences and compliant with South African direct marketing laws:

• Opt-In for Electronic Marketing: We will only send you promotional emails, newsletters, SMSes, or other electronic marketing communications if we have a lawful basis to do so.
• Existing Client Exception: If you are an existing client of Harambe Solutions, South African law allows us in certain cases to send you marketing about our own similar services on an opt-out basis.
• Types of Communications: The direct marketing communications we might send include things like: newsletters with legal updates or industry news, invitations to seminars or events hosted by us, information about new services or products we are offering, or seasonal greetings and firm news that may be of interest.
• Right to Opt Out: You have an absolute right to opt out of direct marketing at any time. Every marketing email we send will contain an “unsubscribe” link or instructions to reply with “unsubscribe” in the subject line. Alternatively, you can contact us by email and inform us that you do not want to receive marketing messages.
• Identification of Sender: Any direct marketing communication from Harambe Solutions will clearly identify us as the sender and will not mislead you about its origin or content.
• Third-Party Marketing: We will not send you third-party marketing unless you specifically consent.
• Compliance with ECTA (Anti-Spam rules): We only send bulk communications to those who have opted in, but in any case, our messages will always offer an unsubscribe mechanism.

In summary, we will respect your marketing preferences. If you have any issues managing your communication preferences, let us know and we will assist promptly.

11. Cookies and Tracking Technologies

What Are Cookies? Cookies are small text files that websites place on your device (computer, smartphone, etc.) when you visit. They are widely used to make websites work efficiently and to provide information to the site owners. Cookies can remember your actions or preferences over time, so you don’t have to re-enter them whenever you come back or browse from page to page.

Types of Cookies We Use: Our Website may use both session cookies (which expire once you close your browser) and persistent cookies (which remain for a set period or until you delete them). The cookies we use generally fall into the following categories:

• Strictly Necessary Cookies: These cookies are essential for the operation of our Website and enable core functionality.
• Functionality Cookies: These allow our Website to remember choices you make and provide enhanced, more personalized features, for example, remembering your region or username for a personalized greeting.
• Analytics/Performance Cookies: We use these to collect information about how visitors use our Website. The information collected is generally aggregated and anonymous, meaning it does not directly identify you.

We do not currently use advertising or targeting cookies on our Website (cookies that profile you for advertising purposes). If that changes in the future, we will update this Policy and obtain any necessary consent.

Cookie Consent and Control: Under POPIA, cookies that are not strictly necessary – particularly those used for tracking and direct marketing – require user consent. If you choose not to accept some cookies, our site will still function, but some features (for example, media playback or site performance enhancements) might be limited.

Third-Party Content: Our website may include links or embedded content from third-party websites. We do not control these cookies since they are set by external services, and their own privacy/cookie policies apply.

Analytics and Data Sharing: If we use Google Analytics or a similar service, note that information collected (like your IP address and browsing behavior) will be transmitted to and stored by the service provider (e.g. Google) on their servers, which may be in a foreign country (often the United States). We have configured our analytics to anonymize IP addresses if possible, and we treat the data in aggregate form. The analytics provider is prohibited from using the data for purposes outside our instructions. By accepting our analytics cookies, you are consenting to this transfer.

In summary, we use cookies responsibly to ensure our Website works smoothly and to understand usage, but we give you full control over non-essential cookies.

12. International Data Transfers

While Harambe Solutions is based in South Africa and we primarily store and process personal information on servers located within South Africa, we may transfer or store your personal information in other countries under certain circumstances. For example, we use cloud-based services and software tools which might host data in data centers outside South Africa, or we may communicate with you if you are in a different country. We are mindful that POPIA imposes conditions for transferring personal information across borders.

Our approach is to ensure that your personal information remains protected to standards commensurate with POPIA. We do this either by transferring to jurisdictions with strong data protection laws or by using robust contractual safeguards.

In summary, international transfers may occur, but when they do, we ensure lawful grounds and comparable protection as required by POPIA’s cross-border data flow rules. Your information will not be sent to a third party in another country unless it meets one of the allowed criteria or you have consented.

14. Changes to This Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make changes, we will post the updated Policy on our website and update the “Effective Date” at the top so you can see when the last changes occurred.

15. Contact Us

You can reach our team at info@harambesolutions.co.za for general inquiries or to exercise your data subject rights. This is the quickest way to get a response. Please include “Privacy” or “POPIA” in the subject line to help us route your query to the right personnel.

Marleen Theunissen, our Information Officer, is responsible for overseeing compliance with this Privacy Policy and handling data protection questions. While you may not need to contact them directly, any privacy-related query you send to us will be forwarded to them or their delegate. We will acknowledge receipt of your inquiry and aim to provide a substantive response without undue delay, typically within a few business days. If you are making a request to exercise your rights, we will guide you through any verification steps and processing timelines as required.

If you have a concern or complaint about how we’ve handled your personal information, we truly hope you will reach out to us first, so we can try to resolve it. We value the opportunity to address your concerns and improve our practices. You also have the right to lodge a complaint with the Information Regulator, but we would appreciate the chance to make things right directly if possible.