Privacy Policy (POPI Compliant) 1 – Our Commitment We respect your privacy and are committed to protecting personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and other applicable laws. In terms of POPIA, Spreda is a “responsible party” and must ensure that personal information is processed lawfully, reasonably and transparently. Under Section 18 of POPIA, when collecting personal information we must inform data subjects about the information being collected, the purpose, whether supply is voluntary or mandatory, the consequences of not providing it and any law authorising collection. Section 19 requires us to secure the integrity and confidentiality of personal information by taking appropriate, reasonable technical and organisational measures to prevent loss, damage or unauthorised access. Section 69 restricts direct marketing by electronic communication unless the data subject has consented or is an existing customer and has been given an opportunity to opt out. Section 72 prohibits transfers of personal information outside South Africa unless the recipient provides an adequate level of protection, the data subject consents or the transfer is necessary for a contract. 2 – Information We Collect We collect and process personal information that you voluntarily provide or that we lawfully obtain from third parties, including: Account information: name, surname, email address, phone number, date of birth, role (advertiser/promoter/admin) and password. Profile information: demographic details (e.g., location, interests), business details (e.g., brand names), social media links and banking details for withdrawals. Transaction and campaign data: records of deposits, transfers, withdrawals, campaigns created, clicks generated, points earned and wallet balances. Payment details: we integrate with third‑party payment processors (Paystack) and do not store your full card information. We receive payment tokens, references and confirmation statuses. Usage data: information about how you use our Service, including log data, device information, browser type, IP address, pages viewed, clicks, time stamps and other diagnostic data. Communication data: records of support requests, emails, messages and enquiries. We do not intentionally collect special categories of personal information (e.g., race, religious beliefs, health data) unless required by law or provided voluntarily with explicit consent. 3 – Purpose and Legal Basis for Processing We process personal information for the following purposes and lawful bases: To provide and operate the Service. This includes creating and managing accounts, facilitating campaigns, tracking clicks, processing deposits, transfers and withdrawals, and providing analytics and dashboards. Processing is necessary to perform our contract with you. To verify identity and prevent fraud. We use personal information to conduct security checks, detect suspicious activity and enforce our Terms. This processing is necessary for our legitimate interests in securing the Service and complying with Section 19 of POPIA. To communicate with you. We send transactional messages (e.g., payment confirmations, security alerts), respond to enquiries and provide updates about changes to the Service. Such communications are necessary for contract performance or compliance with legal obligations. Marketing communications. We may send you information about new features or promotions. We will obtain your opt‑in consent for electronic direct marketing as required by Section 69 of POPIA and provide a simple opt‑out mechanism in every message. Analytics and improvement. We analyse usage data to improve the Service, develop new features and ensure a positive user experience. Where possible we use aggregated or anonymised data. Compliance with laws. We process personal information to comply with South African laws (e.g., tax, accounting, anti‑money‑laundering) and to respond to lawful requests by authorities. 4 – Information Sharing and Third‑Party Access We only share personal information with third parties in accordance with POPIA and for the purposes outlined in this Policy: Operators and service providers. We engage third parties to perform services on our behalf, such as hosting (Google Cloud / Firebase), payment processing (Paystack), analytics providers and customer support tools. These operators are bound by contractual obligations to protect personal information and must implement security measures. Under POPIA, they may only process information on our instructions (similar to “operators” under Section 20–21). Legal and regulatory disclosures. We may disclose your personal information to regulators, law enforcement or other competent authorities when required by law or if we believe disclosure is necessary to protect our rights, the rights of other users or to prevent harm. Business transfers. In the event of a merger, acquisition or sale of assets, your information may be transferred. We will notify you if a transfer occurs and outline any choices you may have. With your consent. We may share your information with other third parties if you give us explicit consent. We will not sell your personal information. 5 – International Transfers Because we use cloud services and payment processors, your personal information may be transferred to and stored in countries outside South Africa. We will only transfer information outside South Africa where: the recipient country or organisation provides an adequate level of protection that upholds principles substantially similar to POPIA; or the transfer is necessary for the performance of a contract with you or for pre‑contractual measures; or you provide explicit consent to the transfer. We use standard contractual clauses or other approved safeguards where required. 6 – Data Security We implement reasonable technical and organisational measures to secure personal information against loss, damage, unauthorised access, destruction or disclosure, as required by Section 19 of POPIA. Measures include encryption of data in transit and at rest, strict access controls, regular security audits and staff training. We also take steps to identify and mitigate reasonably foreseeable risks and continually update safeguards. 7 – Retention and Deletion We retain personal information only for as long as necessary to fulfil the purposes described in this Policy, comply with legal obligations, resolve disputes and enforce our agreements. When information is no longer required, we will delete or anonymise it. In determining retention periods, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it and legal requirements. 8 – Your Rights Under POPIA and other applicable laws, you have the following rights: Access. You may request confirmation that we hold personal information about you and request access to such information (Section 23 of POPIA). Correction. You may request that we correct or update inaccurate or incomplete information (Section 24 of POPIA). Objection and restriction. You may object to the processing of your personal information or request that processing be restricted, particularly where processing is based on our legitimate interests or for direct marketing. Withdrawal of consent. Where we process information based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Deletion. You may request that we delete your personal information under certain circumstances. We may need to retain certain information for legal or legitimate purposes. Data portability. Where applicable, you may request that we provide your personal information in a structured, commonly used and machine‑readable format. Complaint. You may lodge a complaint with the Information Regulator if you believe we have infringed your privacy rights. Contact details are available at https://inforegulator.org.za. To exercise these rights, please contact our Information Officer at joseph@simpleinfluence.co.za or write to us at the postal address provided above. We may require proof of identity and may refuse requests that are frivolous, vexatious or unfounded. 9 – Cookies and Tracking Technologies We use cookies and similar technologies to personalise your experience, understand user behaviour and improve our Service. Cookies may collect information such as your device type, operating system, browser type and browsing behaviour. You can control cookie settings through your browser; however, disabling cookies may limit certain functionality. 10 – Direct Marketing We comply with the direct marketing provisions of POPIA. We will only send you marketing communications through electronic channels (e.g. email, SMS, in‑app notifications) if you have provided opt‑in consent or if you are an existing customer and have been given an opportunity to opt out. Each marketing communication will include our identity and contact details and a simple mechanism to unsubscribe. 11 – Children’s Privacy The Service is not directed to children under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that personal information of a child has been collected without parental consent, we will take steps to delete such information. 12 – Changes to this Policy We may update this Policy to reflect changes in law or our data‑processing practices. We will notify you of significant changes and post the revised Policy on the Service. Your continued use of the Service after changes become effective constitutes acceptance of the revised Policy. 13 – Contacting Us If you have questions or complaints about this Policy or our privacy practices, please contact: Information Officer: Joe (Information Officer, Simple Influence (Pty) Ltd) Email: joseph@simpleinfluence.co.za Physical address: Johannesburg, South Africa (full address provided on request) You also have the right to lodge a complaint with the Information Regulator: Information Regulator South Africa | 33 Hoofd Street, Forum III, Braampark, Johannesburg | Tel: 010 023 5207 | Email: complaints.IR@inforegulator.org.za.