Data Protection Statement

Introduction
This data protection statement describes how this personal data must be collected, handled and stored to meet Rattlehub Digital (Pty) Ltd’s company data protection standards and to comply with the law.

Collection and processing of personal data
We may collect the following information:

• Rattlehub collect and process your personal information mainly to provide you with access to our products and services, and to help us improve the product offering and experience to you.
• We will only collect information that we need in order to provide you with the products and services you have selected, directly or indirectly which may include collecting information about you from other sources.
• The information collected may include your name, place of birth, financial information, employment history, address, contact details, date and place of birth.

Data Use
Insofar as Rattlehub processes your personal information, we will process or use your personal information only for the following purposes:

• to provide our products or services to you, directly or indirectly through business partners
• to execute the transactions, you requested
• to maintain the relationship with our business partners and indirectly with their clients
• to confirm and verify your identity or to verify that you are an authorised user for security purposes
• for the detection and prevention of fraud, crime, money laundering or other malpractice
• to conduct market or customer satisfaction research or for statistical analysis
• for audit and record keeping purposes
• assisting in improving our products and services
• for legal proceedings

Rattlehub will also, directly or indirectly use your personal information to comply with legal and regulatory requirements or industry codes. The processing of your personal information will always be done lawfully and not in a manner infringing on your privacy.

Data Protection
Disclosure of your information:

• Rattlehub will not sell, rent, or trade your personal information to any third party.
• Rattlehub may share aggregated information (for example, demographic data) with its stakeholders and business partners, but it will not disclose your personal information to third parties save with your consent or as provided in this data protection statement.
• Rattlehub may also disclose your information:
  • where we have a duty or a right to do so in terms of law or industry codes
  • where we believe it is necessary to protect our rights
  • we are compelled by law or a court order to do so
• To the extent that Rattlehub uses third party providers to assist us in making the services on this site available to you, we may disclose your personal information to such third parties (and you consent to such disclosure) if you have elected to receive one of those services, which they assist in providing.
• Rattlehub may need to transfer your personal information cross border for processing or storage, for example cloud storage. We will take reasonable steps to ensure that anyone to whom we pass your personal information agrees to treat your information with the same level of protection that we do and that they operate within a jurisdiction subject to privacy legislation providing an “adequate level of protection” as defined in the Act. Insofar as your personal information needs to be transferred cross-border for the purposes specified above, you consent to the transfer of your personal information by Rattlehub.
• Rattlehub cannot guarantee the security of any information you transmit to us online and you do so at your own risk.

Security
Rattlehub shall protect the quality and integrity of your personal information. We are legally obliged to provide reasonable and adequate protection for the personal information we hold and to prevent unauthorised access and use of your personal information.

Specifically, we have the following in place:

• All data is secured by encryption and all traffic is sent using SSL authentication in encrypted form, which prevents information outflow even if it is intercepted.
• Certificates and keys are generated by a separate mechanism, which is not available on the application code as it is encrypted and stored in a secret repository.
• Each end-user’s data is only visible to themselves – separation by design of those who own the data (can view it) and those that manage the data – only the end user can view their data in plain text.

Transfer of Personal information outside the Republic
The Promotion of Access to Information Act, no 2 of 2000 stipulates the following in Chapter 9 of the Act:
(1) A responsible party₁ in the Republic may not transfer personal information about a data subject₂ to a third party who is in a foreign country unless—
(a) the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that—
(i) effectively upholds principles for reasonable processing₃ of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and
(ii) includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country;
(b) the data subject consents to the transfer;
(c) the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request;
(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or
(e) The transfer is for the benefit of the data subject, and—
(i) it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
(ii) if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.
(2) For the purpose of this section—
(a) ‘‘binding corporate rules’’ means personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country; and
(b) ‘‘group of undertakings’’ means a controlling undertaking and its controlled undertakings
₁ “responsible party” – means a public or private body or any other person, alone or in conjunction with others, determines the purpose of and means for processing personal information (Chapter 1 of the Act)
₂ “data subject” – means the person to whom personal information relates (Chapter 1 of the Act)
₃ “processing” – means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information including ….storage…. (Chapter 1 of the Act)

Website Clickstream Data
Information gathered can be used as follows:

• Rattlehub may collect anonymous information from visitors to its websites to help it provide better customer service. For example, Rattlehub keeps track of the domains from which people visit our website and also measures visitor activity on our website. In doing so Rattlehub ensures the information cannot be used to identify you.
• Rattlehub or its analytic partners may use this data to analyse trends and statistics and to help it provide better customer service.
• If you do not wish your personal information to be used in this way, you can restrict or block cookies through your browser settings. For more information please visit https://www.aboutcookies.org.

Access to Information
Subject to certain exceptions, you have the right, in terms of The Promotion of Access to Information Act, no 2 of 2000, to request a copy of the personal information, which we have on record for you.
If you want to access some or all of your information, please refer to our PAIA Manual located here or you may direct your request to the Chief Data Officer at 4 Cambridge Office Park, 5 Bauhinia St, Highveld Techno Park, Centurion, 0169. Keeping your personal information up-to-date and accurate remains your sole responsibility.

If you have any comments or questions about our Data Protection Statement please contact the Chief Data Officer.