IMD Innovations Proprietary Limited (Registration No. 2012/003345/07), trading as iStratgo (“IMD”, “we”, “us”, or “our”), with its principal place of business at Fourways Golf Park, Roos Street, Fourways, Johannesburg, 2190, is committed to protecting your privacy and personal information.

This Privacy Policy and Data Processing Agreement explains how we collect, use, disclose, and safeguard your personal information when you use our strategy management platform, iStratgo (the “Platform”).

This policy is governed by the Protection of Personal Information Act 4 of 2013 (POPIA) and applies to all users of the Platform. By registering an account or using the Platform, you confirm that you have read and understood this Privacy Policy and agree to its terms.

Unless otherwise expressly stated, the following definitions apply throughout this Agreement:

• “Agreement” means this Privacy Policy and Data Processing Agreement together with IMD’s Terms of Service.

• “Authorised User” means individuals and their personnel who are authorised to access and use the Services.

• “Confidential Information” means all technical, trade, commercial, financial and management information and secrets used by a Party in the conduct of its business which is not readily available to competitors.

• “Data Subject” means an individual or juristic entity which is the subject of Personal Information that may be Processed under this Agreement.

• “Intellectual Property Rights” means all intellectual property rights wherever in the world, whether registrable or unregistrable, registered or unregistered, including copyright, database rights, trade secrets, know-how, trademarks, patents, and designs.

• “Operator/Processor” means a public or private body or any other person who processes Personal Information for a Responsible Party/Controller in terms of a contract or mandate, without coming under the direct authority of the Responsible Party/Controller.

• “Personal Information” means all information relating to an identifiable, living natural person, including that which IMD (or any of its Affiliates or Personnel) processes in connection with its relationship with Users.

• “Personal Information Breach” means an occurrence where there are reasonable grounds to believe that Personal Information of a Data Subject has been accessed or acquired by any unauthorised person.

• “Process, Processed or Processing” means the collection, use, disclosure, transfer, storage, deletion, combination, regulatory submission, and/or other use of Personal Information.

• “POPIA” means the Protection of Personal Information Act 4 of 2013 (as amended) of the Republic of South Africa.

• “Responsible Party/Controller” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing Personal Information.

• “Services” means the iStratgo software-as-a-service platform and all associated features and functionality.

• “Sub-contractor” means a third-party contractor to whom the Processing of Personal Information is subcontracted or outsourced by IMD in accordance with this Agreement.

• “Supervisory Authority” means the Information Regulator as established in South Africa pursuant to POPIA.

• “Territory” means any country where IMD processes information on behalf of Users.

• “User or Users” means any individual or organisation that uses the Platform, including administrators, managers, and visitors.

2.1 Registration Information

To create an account on the Platform, Users must provide at least an email address and a password and agree to our Terms of Service and this Agreement. Users will provide additional information during the registration flow to help build their profile and to enable us to provide Services.

2.2 Identity & Contact Information

• Full name, job title, and department

• Email address and phone number

• Profile photo

2.3 Account & Usage Data

• Username and encrypted password

• Account settings and notification preferences

• Data entered into scorecards, strategic plans, and reports

• Audit trail and activity history within the Platform

2.4 Technical & Usage Data

When Users visit or use the Platform, we automatically receive technical information including:

• IP address, browser type and version, operating system, and device identifiers

• Pages visited, features used, and search queries made on the Platform

• Login timestamps and session duration

• Referring URLs and click-through data

• Name of your ISP or mobile carrier

• Essential cookies (see Section 8)

2.5 Communications Data

• Support queries and correspondence with our team

• Feedback and survey responses

• Directly from you: when you register, complete your profile, or contact us

• Automatically: via server logs, cookies, and usage analytics when you interact with the Platform

• From your organisation: your employer or administrator may provide your information when provisioning your account

Under POPIA, we process your personal information on the following lawful grounds:

• Consent: where you have given us explicit consent, e.g. for optional data fields or marketing communications

• Contractual necessity: to provide you with the services you have signed up for

• Legitimate interests: to improve the Platform, detect fraud, and ensure security, where these interests are not overridden by your rights

• Legal obligation: where we are required to process your data to comply with applicable South African law

• Creating, verifying, and managing your account

• Providing access to scorecards, strategic plans, dashboards, and reports

• Sending notifications about system updates, alerts, and important changes

• Improving, personalising, and maintaining the Platform

• Detecting and preventing fraudulent activity or misuse of the Platform

• Meeting our legal and regulatory obligations under South African law

• Generating anonymised, aggregated analytics and reports (which cannot identify you personally)

• Providing customer support services

IMD communicates with Users through email, notices posted on the Platform, and other available means. These include:

• Welcome and engagement communications: informing Users about how to best use the Platform, new features, and updates

• Service communications: covering service availability, security, and other issues about the functioning of the Platform

• Promotional communications: containing promotional information. These are sent based on User profile information and messaging preferences. Users may change email and contact preferences at any time by signing into their account and opting out

Users cannot opt out of receiving essential service messages. IMD may provide notices via a banner on the Platform, email, or other contact methods. Users agree to keep their contact information up to date.

7.1 Service Providers & Sub-contractors

We share data with trusted third-party service providers and sub-contractors who assist us in operating the Platform, including cloud hosting providers, email delivery services, and analytics tools. All such providers are bound by confidentiality agreements and may only process your data on our instructions.

7.2 Legal & Regulatory Disclosure

We may disclose your personal information if required to do so by law, court order, or a competent regulatory authority (including the Information Regulator of South Africa). If IMD receives any demand for disclosure of Personal Information by law, IMD will promptly notify the affected User in writing (unless legally prohibited from doing so).

7.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, your personal information may be transferred to the relevant third party. We will notify you before your data is transferred and becomes subject to a different privacy policy.

7.4 What We Do Not Do

We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

IMD uses cookies to store a session identifier in order to correctly serve Users their data as well as improve experience, increase security, and measure use and effectiveness of the Platform.

We use the following types of cookies:

• Essential cookies: required for the Platform to function, including maintaining your login session and remembering your preferences. These cannot be disabled.

• Performance cookies: collect information about how visitors and users use the Platform, for example which functionality visitors use most often. These cookies do not collect information that identifies a visitor or user. All information collected is aggregated and therefore anonymous. We only use these cookies to improve how the Platform works.

• Analytics cookies: help us understand how the Platform is used so we can improve it. These are anonymised and do not track you across other websites.

We do not use third-party advertising or retargeting cookies. Users can control cookies through browser settings and other tools. By visiting the Platform, Users consent to the placement of cookies in their browser in accordance with this Agreement.

You may be able to configure your browser to restrict cookies or block all cookies if you wish, however if you disable cookies you may find this affects your ability to use certain parts of the Platform. For more information about cookies and instructions on how to adjust your browser settings to accept, delete or reject cookies, visit www.allaboutcookies.org/manage-cookies.

We keep a record of traffic data which is logged automatically by our servers, such as your Internet Protocol (IP) address, device information. We also collect some site, application and service statistics such as access rates, page hits and page views. We are not able to identify any individual from traffic data or site statistics.

We retain your personal information only for as long as necessary for the purposes outlined in this policy, or as required by law. Our general retention periods are:

• Active account & profile data: Duration of your account

• Platform usage and activity data: Duration of your account

• Communications & support logs: 2 years

• Server and access logs: 90 days

• Marketing consent records: Until you withdraw consent

• Deleted account data: Fully purged within 30 days of account deletion request

After the applicable retention period, data is securely deleted or anonymised so it can no longer identify you.

10.1 Data After Account Termination

• On notice of termination or account deletion, Users will have 30 days to download or export their data using available mechanisms.

• After the 30-day period, IMD will lock the account and the User will no longer have access to any of the Personal Information.

• Personal Information, after the 30-day download period has expired, may be retained for the legal basis of historical purposes. When required, access may be provided upon request to the Information Officer.

• Appropriate safeguarding measures will continue to be applied as if the agreement for processing of Personal Information was still in place.

• IMD warrants that Personal Information stored for historical purposes will not be used for any other purpose.

• Should a User require that their Personal Information be permanently deleted, IMD will delete or destroy all copies in its systems or possession, unless legally prohibited from doing so.

IMD has implemented appropriate safeguards against the unauthorised access to, and destruction, loss, or alteration of Users’ Confidential Information and Personal Information. We implement appropriate technical and organisational measures including:

• Encrypted connections (HTTPS / TLS) for all data in transit

• Encrypted storage for passwords and sensitive data at rest

• Role-based access controls limiting employee access to personal data

• Regular security reviews and vulnerability assessments

• Secure data centres hosted within compliant cloud environments

• Logical separation of User data from data processed on behalf of other parties

IMD warrants that it shall maintain such safeguards for so long as it has any User Confidential Information and Personal Information in its possession or has access to such information.

In the event of a Personal Information Breach that is likely to affect your rights or interests, we will notify you and the Information Regulator within 72 hours of becoming aware of the breach, in accordance with POPIA, and provide a detailed description of the breach, the type of data affected, and all reasonable steps taken to remedy and prevent further breaches.

Any user that delivers or attempts to deliver any damaging code to this website or attempts to gain unauthorised access to any page on this website shall be criminally prosecuted. IMD may also, at its sole discretion, institute civil action for damages suffered as a result of such conduct.

Please note that no method of electronic transmission or storage is 100% secure. If you suspect unauthorised access to your account, please contact us immediately.

IMD shall procure that each of its Sub-contractors and/or Affiliates contractually agree in writing that they will:

• Comply with POPIA and this Agreement;

• Not access, use, or process User data and/or Personal Information except to the extent reasonably necessary in performance of obligations;

• Not perform any act that puts Users at risk of their data being disclosed;

• Implement appropriate technical and organisational security measures to preserve the integrity of User data; and

• Prevent any unauthorised or unlawful access, accidental or unauthorised destruction, corruption, loss, alteration or disclosure of User data.

As a data subject under the Protection of Personal Information Act (POPIA), you have the following rights:

• Right to Access: request a copy of all personal information we hold about you

• Right to Rectification: request correction of inaccurate or incomplete information

• Right to Erasure: request deletion of your personal data, subject to our legal retention obligations

• Right to Restriction: request that we limit the processing of your data in certain circumstances

• Right to Object: object to the processing of your data for direct marketing or where processing is based on our legitimate interests

• Right to Withdraw Consent: withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing

• Right to Data Portability: request your data in a structured, machine-readable format

• Right to Close Account: close your account at any time, subject to the data retention provisions in Section 10

• Right to Complain: lodge a complaint with the Information Regulator of South Africa if you believe we have violated your rights

To exercise any of these rights, please contact our Information Officer at info@istratgo.com. We will respond within 30 days of receiving your request.

• The Content, Software, User Documentation, logos and Services are proprietary products and services and that all right, title and interest in and to the Content, Software, User Documentation, logos and Services, including all associated intellectual property rights, are and shall at all times remain with iStratgo and its third-party licensors.

• The iStratgo Software contains trade secrets and proprietary information owned by iStratgo or its third-party licensors and is protected by South Africa copyright laws and international trade provisions.

• iStratgo cannot nor does it exercise continuous editorial control over the content of this site and accepts no responsibility for any illegal, discriminatory, defamatory or obscene content appearing on this site.

Our Platform is primarily hosted and operated within South Africa. IMD may perform replication of Personal Information to data centres in other jurisdictions for the purposes of implementing adequate disaster recovery processes and other legitimate processing activities.

Section 72 of POPIA allows the transfer of Personal Information to a recipient in a foreign country in circumstances where, amongst others:

• The recipient is subject to a law, binding corporate rules or binding agreement that provides an adequate level of protection substantially similar to POPIA;

• The Data Subject consents to the transfer;

• The transfer is necessary for the performance of a contract between the Data Subject and the Responsible Party/Controller; or

• The transfer is for the benefit of the Data Subject, and it is not reasonably practicable to obtain consent.

Where any of our service providers process data outside of South Africa, we ensure that appropriate safeguards are in place consistent with Section 72 of POPIA, including that the receiving jurisdiction provides adequate data protection that effectively upholds the principles of lawful processing.

• iStratgo Web Site may contain hyperlinks to other sites which are not maintained by, or related to, iStratgo. Hyperlinks to such sites are provided as a service to users and are not sponsored by or affiliated with the Web Site or iStratgo.

• iStratgo does not continuously monitor or review any or all of such sites and is not responsible for the content of those sites. Hyperlinks are to be accessed at the user's own risk.

• iStratgo makes no representation or warranties about the content, completeness or accuracy of these hyperlinks or the sites hyperlinked to this Web Site.

• iStratgo provides hyperlinks as a convenience, and the inclusion of any hyperlinks to a third-party site does not necessarily imply endorsement by iStratgo of that site or any association with its operators.

No user be it person or business, website or bot may:

• Reverse engineer, disassemble, decompile or make any attempt to ascertain, derive or obtain the source code for this website.

• Use any technology to search and gain information from this site.

In cases of suspected fraud, theft, or suspected data breach, IMD shall allow affected parties and their auditors, regulators, and other advisers to audit relevant records pertaining to the data breach, subject to:

• At least 30 (thirty) business days’ prior written notice of intention to conduct an audit;

• Reasonable endeavours to complete the audit within 5 (five) business days from commencement;

• The requesting party bearing all costs and expenses incurred in respect of the audit.

In the event that an audit identifies substantive findings relating to misrepresentation or a material default by IMD, IMD shall reimburse reasonable costs incurred and take necessary steps to comply with its obligations at no additional cost.

• The user agrees that the use of the iStratgo site is at the user's sole risk.

• iStratgo makes no representations or warranties that this website is free from errors or omissions nor that the service provided will be uninterrupted and free from defects.

• This site is provided without any representation or endorsement made and without any warranty of any kind whether express or implied, including but not limited to warranties of satisfactory quality, non-infringement, title, security and compatibility. It is the sole responsibility of the users to satisfy themselves prior to entering into this agreement that the services available on this site will meet the user's individual requirements and be compatible with the user's hardware and/or software.

• No warranty, whether express or implied, is given that any applications, downloads or files available via this website are free of viruses, worms, trojans, bombs, time locks or any other data or code which has the ability to corrupt or affect the operation of the user's system.

• No advice or opinion expressed on this site should be regarded as professional advice and users are advised to seek professional advice before placing reliance on any opinion given in this site.

IMD shall cooperate, on request, with the Information Regulator (Supervisory Authority) in the performance of its tasks, in accordance with POPIA.

This Agreement shall be governed by and construed and interpreted in accordance with the laws of the Republic of South Africa.

We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. When we make material changes, we will notify you by email and/or a prominent notice on the Platform prior to the change taking effect. Continued use of the Platform after changes take effect constitutes your acceptance of the updated policy.

If you have any questions, concerns, or requests relating to this Privacy Policy or your personal information, please contact our Information Officer:

• Information Officer: Alwyn Stoman

• Email: info@istratgo.com

• Phone: +27 (010) 035 0223

• Address: Fourways Golf Park, Roos Street, Fourways, Johannesburg, 2190, South Africa

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator of South Africa:

• Website: www.inforegulator.org.za

• Email: complaints.IR@justice.gov.za

• Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001