Privacy & Data Protection Policy

Version: 1.0
Effective Date: 20 February 2026
Last Reviewed: 20 February 2026
POPIA Status: Fully Compliant
Part of the Master Service Agreement (MSA) – Incorporated by Reference

🔒 POPIA Compliant 🍪 Cookie Policy 🛡️ Data Security 📊 Data Processing 🔐 Data Subject Rights 📜 Breach Protocol

📌 RELATIONSHIP TO MASTER SERVICE AGREEMENT:
This document is incorporated by reference into the Master Service Agreement (MSA). It applies to all users of the Long Haul Technologies website, all clients engaging our services, and all data subjects whose personal information we process. Capitalized terms used but not defined herein have the meanings given in the MSA.

PART A: INTRODUCTION & SCOPE

A.1 Overview

Long Haul Technologies ("Company", "we", "us", "our") is committed to protecting the privacy and security of personal information. This Privacy & Data Protection Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our services, or interact with us.

We comply with the Protection of Personal Information Act, 2013 (POPIA) and all applicable data protection laws. We are registered as an operator under POPIA and process personal information on behalf of responsible parties (our clients) as well as in our own capacity as a responsible party for our direct interactions with data subjects.

A.2 Scope

This policy applies to:

Website Visitors: Individuals who visit our website at www.longhaultech.com
Clients: Organizations and individuals who engage our services
Client End-Users: Individuals whose information is processed through systems we provide to clients (e.g., LMS users, learners, assessors)
Prospective Clients: Individuals who contact us for information about our services
Suppliers and Partners: Individuals associated with our vendors and business partners
Job Applicants: Individuals applying for positions with us

A.3 Definitions

For purposes of this policy:

"Personal Information" means any information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, including but not limited to information relating to race, gender, sex, pregnancy, marital status, national origin, age, physical or mental health, well-being, disability, religion, belief, language, education, financial history, identifying number, email address, physical address, telephone number, biometric information, and opinions of or about the person.
"Processing" means any operation or activity concerning personal information, including collection, receipt, recording, organization, collation, storage, updating, modification, retrieval, consultation, use, dissemination, merging, linking, blocking, degradation, erasure, or destruction.
"Responsible Party" means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
"Operator" means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
"Data Subject" means the person to whom personal information relates.

PART B: INFORMATION WE COLLECT

B.1 Information You Provide Directly

We collect information you voluntarily provide to us, including:

Category	Examples	Purpose
Contact Information	Name, email address, phone number, physical address, job title, company name	Communication, service delivery, billing, marketing (with consent)
Account Information	Username, password, security questions, account preferences	Account creation, authentication, personalization
Payment Information	Billing address, payment method details (processed by third-party payment processors)	Payment processing, invoicing, financial records
Client Content	Course materials, learner data, assessments, user content uploaded to our systems	Service delivery (processed on behalf of clients)
Communication Data	Emails, support tickets, chat messages, call recordings (with notice)	Client support, record-keeping, quality assurance
Application Data	CV/resume, cover letter, employment history, qualifications	Recruitment and hiring

B.2 Information Collected Automatically

When you visit our website or use our services, we automatically collect certain information:

Category	Examples	Purpose
Device Information	IP address, browser type, operating system, device type, screen resolution	Website optimization, security, analytics
Usage Data	Pages visited, time spent, links clicked, referral source, navigation paths	Analytics, user experience improvement, marketing effectiveness
Cookies & Tracking	Cookie identifiers, tracking pixels, session data	Functionality, analytics, personalization (see Part F)
Log Data	Server logs, error reports, timestamps, access records	Security, troubleshooting, system monitoring

B.3 Information from Third Parties

We may receive information about you from third parties, including:

Clients: When our clients provide us with information about their end-users (learners, employees, etc.) for processing through our systems
Business Partners: Information from partners who refer you to us or with whom we jointly offer services
Public Sources: Information from publicly available sources (e.g., LinkedIn, company websites) for business development purposes
Service Providers: Information from third-party service providers who assist us with fraud prevention, security, or analytics

📌 CLIENT END-USER NOTICE:
If you are a user of a system provided by Long Haul Technologies to one of our clients (e.g., a learner using an LMS), the client is the responsible party for your personal information. We process your information as an operator on behalf of the client. Please refer to the client's privacy policy for information about how they handle your data. This policy applies to our processing of your information on behalf of the client.

PART C: HOW WE USE INFORMATION

C.1 Lawful Bases for Processing (POPIA Section 11)

Under POPIA, we process personal information only on lawful grounds, including:

Lawful Basis	Application
Consent	Where you have freely given specific, informed consent (e.g., marketing communications, cookies)
Contractual Performance	Processing necessary to perform a contract with you (e.g., service delivery, payment processing)
Legal Obligation	Processing required to comply with legal obligations (e.g., tax records, regulatory compliance)
Legitimate Interest	Processing necessary for our legitimate interests or those of a third party, provided such interests are not overridden by your rights (e.g., security, fraud prevention, business improvement)
Public Interest	Processing necessary for the performance of a task carried out in the public interest
Legal Claim	Processing necessary for the establishment, exercise, or defense of legal claims

C.2 Specific Purposes

We use personal information for the following specific purposes:

Purpose	Categories of Information	Lawful Basis
Service Delivery	Contact information, account information, client content, usage data	Contractual performance
Client Support	Contact information, communication data, account information	Contractual performance, legitimate interest
Billing and Payments	Contact information, payment information, transaction data	Contractual performance, legal obligation
Security and Fraud Prevention	Device information, usage data, log data, account information	Legitimate interest, legal obligation
Marketing and Communications	Contact information, usage data, device information	Consent (where required), legitimate interest
Analytics and Improvement	Usage data, device information, cookies	Legitimate interest, consent (for cookies)
Legal Compliance	All relevant categories	Legal obligation
Recruitment	Application data	Consent, legitimate interest

PART D: INFORMATION SHARING AND DISCLOSURE

D.1 When We Share Information

We may share personal information in the following circumstances:

Recipient Category	Examples	Purpose
Service Providers and Operators	Cloud hosting providers (AWS, DigitalOcean), payment processors (PayFast, PayU), analytics providers (Google Analytics), email service providers, support tools	To enable them to provide services on our behalf. We have written agreements with all service providers requiring them to protect information and process only in accordance with our instructions.
Clients (as Responsible Parties)	Organizations for whom we provide services	When we process information on behalf of clients, they are the responsible party. We provide them with access to information as necessary for their purposes.
Professional Advisors	Lawyers, accountants, auditors, insurers	To obtain professional advice, manage risk, comply with legal obligations
Business Transfers	Potential buyers, investors, successors in interest	In connection with a merger, acquisition, restructuring, or sale of assets (with appropriate confidentiality protections)
Legal and Regulatory Authorities	Courts, regulators, law enforcement, information regulators (e.g., Information Regulator of South Africa)	To comply with legal obligations, respond to lawful requests, protect our rights
With Your Consent	Third parties you authorize	Where you have specifically consented to sharing

D.2 International Transfers

We may transfer personal information to countries outside South Africa for processing, including to service providers located in countries such as the United States, European Union, and other jurisdictions.

When we transfer personal information across borders, we ensure appropriate safeguards are in place, including:

Transferring only to countries with adequate data protection laws recognized by South Africa;
Entering into data transfer agreements based on standard contractual clauses approved by the Information Regulator;
Obtaining your consent where required by applicable law.

By providing your personal information to us, you acknowledge that we may transfer it to countries that may not have the same level of data protection as South Africa, but we will take steps to protect your information as described in this policy.

D.3 No Sale of Information

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. Any sharing is limited to the purposes described in this policy.

PART E: DATA SECURITY

E.1 Security Measures

We implement appropriate technical and organizational measures to protect personal information against unauthorized access, accidental loss, alteration, disclosure, or destruction, including:

Category	Measures Implemented
Technical Measures	• Encryption of data in transit (TLS/SSL) • Encryption of sensitive data at rest • Firewalls and intrusion detection systems • Regular security patches and updates • Secure authentication requirements • Access controls and least privilege principles • Regular backups with secure storage
Organizational Measures	• Access restricted to personnel with legitimate need • Confidentiality agreements with all staff • Regular security awareness training • Written information security policies • Background checks for relevant positions • Vendor security assessments
Physical Measures	• Secure office premises • Access controls to facilities • Secure disposal of physical records • Data center security (via hosting providers)

E.2 Security Breach Response

In the event of a security breach affecting personal information, we have procedures to:

Identify and contain the breach immediately;
Assess the risk to affected data subjects;
Notify the Information Regulator as required by POPIA (without unreasonable delay, but within 72 hours where feasible);
Notify affected data subjects where the breach poses a real risk of harm;
Take steps to mitigate any potential harm;
Investigate the cause and implement measures to prevent recurrence.

⚠️ BREACH NOTIFICATION CONTACT:
If you suspect a security breach involving your personal information, please contact us immediately at:
Email: security@longhaultech.com
Phone: 062 688 0213
Response Time: We will acknowledge receipt within 24 hours and provide regular updates.

PART F: COOKIE POLICY

F.1 What Are Cookies

Cookies are small text files placed on your device when you visit a website. They are widely used to make websites work more efficiently and provide information to website owners.

F.2 Types of Cookies We Use

Cookie Category	Purpose	Duration	Consent Required
Essential Cookies	Required for website functionality, security, and to enable core features such as login, session management, and payment processing	Session / Persistent	No (strictly necessary)
Analytics Cookies	Help us understand how visitors interact with our website by collecting anonymous information about pages visited, time spent, and errors encountered (Google Analytics, etc.)	Persistent (up to 2 years)	Yes
Functional Cookies	Remember your preferences and choices to enhance your experience (language preferences, region, etc.)	Persistent (up to 1 year)	Yes
Marketing Cookies	Track your activity across websites to build profiles for targeted advertising (Facebook Pixel, LinkedIn Insight, etc.)	Persistent (up to 90 days)	Yes

F.3 Cookie Consent

When you first visit our website, we display a cookie banner requesting your consent for non-essential cookies. You can:

Accept all cookies;
Reject non-essential cookies (essential cookies will still function);
Customize your preferences by category;
Withdraw consent at any time by clearing cookies or adjusting your browser settings.

F.4 Managing Cookies

You can control and manage cookies through your browser settings:

Chrome: Settings → Privacy and Security → Cookies and other site data
Firefox: Options → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Cookies and website data
Edge: Settings → Site permissions → Cookies and site data

Please note that blocking essential cookies may affect website functionality.

PART G: DATA RETENTION

G.1 Retention Periods

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law.

Information Category	Retention Period	Rationale
Client Records (Contractual)	Duration of contract + 5 years	Legal obligation (prescription periods, tax records)
Client End-User Data	As directed by client + 30 days after contract termination (subject to data export)	Contractual obligation (processed on behalf of client)
Financial Records	7 years	Tax and legal requirements (Income Tax Act, Companies Act)
Marketing Data	Until consent withdrawn or 2 years after last interaction	Legitimate interest, consent
Website Analytics	26 months (Google Analytics default)	Analytics and improvement
Recruitment Data	6 months after decision (12 months with consent)	Legitimate interest, consent
Support Communications	3 years after resolution	Quality improvement, dispute resolution

G.2 Data Deletion

After the retention period expires, we securely delete or anonymize personal information. Methods include:

Permanent deletion from databases and backups;
Secure overwriting of electronic files;
Physical shredding of paper records;
Anonymization for analytical purposes where appropriate.

PART H: DATA SUBJECT RIGHTS

Under POPIA, you have the following rights regarding your personal information:

📋 Right to Access

Request confirmation of whether we hold your information and request a copy

✏️ Right to Correction

Request correction of inaccurate or incomplete information

🗑️ Right to Deletion

Request deletion of information no longer required or unlawfully processed

⏸️ Right to Object

Object to processing on grounds of legitimate interest or for direct marketing

🔄 Right to Data Portability

Request transfer of information to another provider (where technically feasible)

⚖️ Right to Complain

Lodge a complaint with the Information Regulator

H.1 Exercising Your Rights

To exercise any of these rights, please contact us using the details in Part L. We will respond to all legitimate requests within 30 days, unless exceptional circumstances require an extension (which we will communicate to you).

We may need to verify your identity before processing your request. This is a security measure to ensure personal information is not disclosed to unauthorized persons.

There is no charge for exercising your rights, unless requests are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee.

H.2 Access Request Procedure (POPIA Section 23)

To request access to your personal information, please submit a formal request containing:

Your full name and identity number;
Contact details for correspondence;
Description of the information requested;
The form of access required (e.g., electronic copy, printout);
Proof of identity.

We will notify you within 30 days of receiving your request and may provide access subject to any lawful grounds for refusal under POPIA Section 27.

PART I: POPIA COMPLIANCE FRAMEWORK

I.1 Conditions for Lawful Processing (POPIA Chapter 3)

We adhere to the eight conditions for lawful processing under POPIA:

Condition	Our Compliance Measures
1. Accountability	We have appointed an Information Officer, maintain records of processing activities, and conduct regular compliance assessments.
2. Processing Limitation	We collect information only for specified, lawful purposes with consent or other lawful basis. We collect minimal information necessary.
3. Purpose Specification	We clearly specify purposes at the time of collection (this policy serves as notice). Information is not used for incompatible purposes.
4. Further Processing Limitation	Further processing is compatible with original purposes, with consent, or required by law.
5. Information Quality	We take reasonable steps to ensure information is accurate, complete, and up to date, including providing correction mechanisms.
6. Openness	This policy provides transparency about our practices. We maintain documentation of processing activities.
7. Security Safeguards	We implement technical and organizational measures as described in Part E, including breach response procedures.
8. Data Subject Participation	We provide mechanisms for data subjects to access and correct their information as described in Part H.

I.2 Information Officer

We have appointed an Information Officer as required by POPIA:

Information Officer: [Name]
Email: info.officer@longhaultech.com
Phone: Tumelo
Deputy Information Officer: 062 688 0213

I.3 Operator Agreements

Where we engage operators to process personal information on our behalf, we have written agreements requiring them to:

Process information only on our documented instructions;
Implement appropriate security measures;
Notify us of any security breaches;
Assist us in complying with data subject requests;
Return or delete information at the end of the engagement;
Allow us to audit their compliance.

PART J: CHILDREN'S PRIVACY

Our services may be used by children (persons under 18 years) in educational settings, typically under the supervision of schools, training providers, or parents.

J.1 Processing of Children's Information

When we process personal information of children, we do so:

On behalf of our clients (schools, training providers) who are the responsible parties and have obtained appropriate consent from parents or guardians;
With the consent of a competent person (parent or guardian) where we are the responsible party;
As necessary for the provision of educational services.

J.2 Parental Rights

Parents or legal guardians have the right to:

Access their child's personal information;
Request correction or deletion;
Object to processing;
Withdraw consent (where processing is based on consent).

If you believe we may have collected information from a child without appropriate consent, please contact us immediately.

PART K: POLICY UPDATES

We may update this Privacy & Data Protection Policy from time to time to reflect changes in our practices, legal requirements, or operational needs.

K.1 Notification of Changes

Material Changes: We will notify you by email (if we have your contact information) or by prominent notice on our website at least 30 days before changes take effect.
Non-Material Changes: We will update the "Effective Date" at the top of this policy and post the updated version on our website.

K.2 Continued Use

Your continued use of our website or services after the effective date of any changes constitutes acceptance of the updated policy. If you do not agree to the changes, you must stop using our services and request deletion of your information as described in Part H.

PART L: CONTACT INFORMATION

If you have questions, concerns, or requests regarding this policy or our data practices, please contact us:

General Privacy Inquiries:	privacy@longhaultech.com
Information Officer:	info.officer@longhaultech.com
Security Incidents:	security@longhaultech.com
Data Subject Requests:	privacy@longhaultech.com
Phone:	+27 325 8132
Physical Address:	56 4th Street Springs CBD Gauteng South Africa

L.1 Information Regulator of South Africa

You have the right to lodge a complaint with the Information Regulator if you believe we have violated your privacy rights:

Information Regulator (South Africa)
Website: www.justice.gov.za/inforeg/
Email: inforeg@justice.gov.za
Tel: +27 (0)10 023 5200
Address: 33 Hoofd Street, Forum III, 3rd Floor, Braampark, Johannesburg, 2001

📋 DOCUMENT CONSOLIDATION NOTICE:
This Privacy & Data Protection Policy consolidates the following previously separate policies:

Privacy Policy – Parts A, B, C, D, G, H, K, L
POPIA Policy – Parts A, I, L
Cookie Policy – Part F
Data & Security Policy – Parts E, G

By accepting the Master Service Agreement, Client agrees to all terms contained herein.

Version 1.0 | Effective 20 February 2026 | Last Reviewed 20 February 2026
Long Haul Technologies is registered as an operator under POPIA. This policy is reviewed annually and updated as needed.