PRIVACY POLICY

1. DEFINITIONS

1.1. “company” or “we” or “us” or “our” means Ryanmark Capital (Pty) Ltd with
registration number 2010/008827/07, a company duly incorporated in
accordance with the laws of the Republic of South Africa;
1.2. “data subject” means the natural person and/or juristic person to whom
the personal information relates;
1.3. “personal information” means the information as set out in section 1 of
the POPI Act;
1.4. “policy” means this privacy policy, as amended from time to time;
1.5. “POPI Act” means the Protection of Personal Information Act, 4 of 2013.

2. PURPOSE
2.1. The company takes its data protection and information security
responsibilities very seriously. The company recognises the importance of
your privacy and understands your concerns regarding security of your
personal information. We are committed to the effective management of
all personal information that is provided to us or collected by us during the
course of our business operations.
2.2. The purpose of this policy is to set out the generally accepted principles
that apply to the collection, processing, retention, destruction and sharing
of personal information by the company in respect of its clients, potential
clients, employees, consultants, suppliers and potential suppliers.

3. PERSONAL INFORMATION COLLECTED BY THE COMPANY
3.1. The company may collect personal information from a variety of sources
which includes, but is not limited to –
3.1.1. information we collect directly from you
3.1.2. personal details such as name inclusive of first name, middle
name and surname, date of birth, gender, identity number,
passport number and company registration number;

3.1.3. contact details such as phone number, email address, physical
address and postal address;
3.1.4. financial information such as bank confirmation letter, bank
statements, financial statements, management accounts, VAT
certificate, income tax certificate and a letter of good standing;
3.1.5. information we collect from third party sources.
3.2. The company will not process the following categories of personal
information, unless legally required to do so –
3.2.1. race or ethnic origin;
3.2.2. political opinions;
3.2.3. religious or philosophical beliefs;
3.2.4. trade union memberships;
3.2.5. genetic or biometric data; and
3.2.6. sexual orientation.

4. POLICY PRINCIPLES
4.1. The personal information processed by the company is underpinned by
the following 8 principles, which form the foundation of the company’s
approach to privacy –
4.1.1. accountability
4.1.1.1. the company is responsible for complying with measures
to give effect to the principles below, and to data
protection legislation;
4.1.2. processing limitation
4.1.2.1. personal information should not be disclosed, made
available or otherwise used for purposes other than those
for which it was collected, without the consent of the data
subject or as required by law;

4.1.3. purpose specification
4.1.3.1. the purpose for which personal information is collected
should be specified;
4.1.4. further processing limitation

4.1.4.1. further processing of personal information must be
compatible with the purpose for which the information was
collected in principle 3;

4.1.5. information quality
4.1.5.1. personal information should be relevant for the purpose(s)
for which it is used, and should be accurate, complete and
kept up-to-date;
4.1.6. transparency and openness
4.1.6.1. there should be a general policy of openness about
developments, practices and policies with respect to
personal information. A data subject should readily be
able to establish the existence and type of personal
information, the main purpose(s) of use of the personal
information and the identity of the person responsible for
its processing;
4.1.7. security safeguards
4.1.7.1. personal information should be protected by reasonable
security safeguards against risks such as unauthorised
access, destruction, use or disclosure of data;

4.1.8. data subject rights
4.1.8.1. data subjects, at a minimum, and where required by
applicable data protection legislation, have the right to –
4.1.8.2. obtain confirmation of whether or not the company has
personal information relating to them;
4.1.8.3. object to the company processing their personal
information, however the company may object if it has a
compelling and lawful reason to continue processing the
personal information;
4.1.8.4. receive copies of personal information relating to them;
4.1.8.5. have their personal information deleted or corrected;
4.1.8.6. complain to a regulatory authority or the company’s
information officer or deputy information officer (set out in
clause 8.1) should they be of the view that their personal
information has been interfered.

5. THE COMPANY’S APPROACH
5.1. The company’s approach is linked to the data life cycle
5.2. collection

5.2.1. the volume of personal information collected should be limited to
the personal information required for the purpose for which it was
collected;
5.2.2. the company may collect personal information for the following
purposes –
5.2.2.1. to perform credit checks, background verification and
other necessary assessments on data subjects in relation
to the purchase order finance or invoice discounting
application processes;
5.2.2.2. to perform credit checks, background verification and
other necessary assessments on data subjects in relation
to the onboarding of a data subject to the company’s
affiliate partner programme;
5.2.2.3. to provide data subjects with requested services;
5.2.2.4. to verify a data subject’s identity before the company
renders its services to the data subject;  
5.2.2.5. to reply to any queries/complaints or to process requests
regarding personal information;
5.2.2.6. to market the company’s services;
5.2.2.7. to maintain records in accordance with applicable laws.
5.2.3. the company should only collect personal information from the
data subject if it has a lawful basis for processing the personal
information, such as –
5.2.3.1. the express, voluntary and informed consent of the data
subject
5.2.3.2. in circumstances where an individual submits an
application to the company for and on behalf of a
company (including its directors) to provide services, the
individual warrants that he/she has the authority to submit

the application for and on behalf of the particular company
(including its directors or members);
5.2.3.3. in circumstances where an individual submits an
application to the company for and on behalf of a
company (including its directors) to provide services, the
individual consents in his/her personal capacity, and for
and on behalf of the applicable company and each of its
directors for the company to collect, process and use all
data belonging to each relevant data subject;
5.2.3.4. an agreement between the company and the data subject
which requires personal information to be processed;
5.2.3.5. a legal obligation; or
5.2.3.6. the processing protects a legitimate interest of the
company.

5.2.4. the company must take reasonable steps to ensure that personal
information that has been collected is complete, accurate and not
misleading;
5.3. processing
5.3.1. personal information must only be processed for the purpose that
was stated at the time of the collection of the personal
information;
5.3.2. in the event that the company uses the personal information for
any other purpose, then the further processing must be aligned
with the original purpose, or the consent of the data subject must
be obtained before any further processing takes place;

5.4. sharing
5.4.1. personal information held by the company may be processed by
third parties. These relationships shall be governed by a written
data protection agreement, which provides for adequate
protection of the personal information processed by the third
party;
5.4.2. in circumstances where a third party has access to or processes
the personal information of the company’s clients, employees,
consultants or suppliers, the company must determine the

associated risks before entering into any agreement or sharing
any personal information, by conducting a due diligence on the
third party;
5.4.3. the company may not disclose personal information to third
parties, for purposes other than for processing on behalf of the
company, unless –
5.4.3.1. consent of the data subject has been obtained;
5.4.3.2. the company is under a legal obligation to disclose the
information;

5.5. retention
5.5.1. the company will not retain a data subject’s personal information
for longer than the period for which it is needed and in compliance
with applicable law.
5.5.2. retention periods are determined based on –
5.5.2.1. legal obligations relating to minimum periods to retain
information;
5.5.2.2. the purposes for which the company processes the
information;
5.5.2.3. whether the company can achieve those purposes;
5.5.2.4. the amount, nature and sensitivity of the information;
and/or
5.5.2.5. the potential risk of harm from unauthorised use or
disclosure of the information.

5.6. destruction
5.6.1. the company must securely destroy or de-identify personal
information that has reached the end of its retention period, and
there is no longer a lawful basis, including a legitimate interest, to
retain the information.
6. SECURITY SAFEGUARDS
6.1. The company shall take reasonable technical, physical and organisational
measures to ensure the integrity and confidentiality of personal
information held by the company.
6.2. These measures serve to prevent –

6.2.1. loss of, damage to or unauthorised destruction of personal
information; and

6.2.2. unlawful access to or processing of personal information.

7. TRAINING
7.1. All persons who are exposed to and process personal information are
obliged to be trained appropriately in respect of their obligations in terms
of this policy.
7.2. All new employees will be required to complete data privacy training and
all current employees will be required to complete refresher training
annually.
8. CONTACT US
8.1. Should you have any queries regarding this policy or would like to enforce
any rights you may have under data protection laws, please contact us at
–

8.1.1. Physical address: 44 Melrose Arch Blvd
8.1.2. Email address: info@rmcapital.co.za
8.1.3. Attention: (Information Officer)
8.1.4. Telephone number: Nellie Kunene 084 046 8080
8.2. We will endeavour to respond to any such requests as soon as is
reasonably practicable. In some instances, Xxx may be able to charge a
fee for responding to your request and shall advise you of this and any
applicable amount prior to responding.
8.3. You have the right to lodge a complaint with the Information Regulator, the
details of which are set out below (although we urge you to contact us to
bring it to our attention first, using the details above, so that we can
attempt to assist you and/or resolve any issue before it is escalated) –
8.3.1. Complaints email: POPIAComplaints@inforegulator.co.za
8.3.2. General enquires email: enquiries@inforegulator.org.za

9. AMENDMENTS TO THIS POLICY
The company reserves the right to amend or update this policy from time to time.

10. COMPLIANCE WITH THIS POLICY
10.1. Compliance with this policy will be monitored on an ongoing basis. Any
breach of or non-compliance with this policy must be communicated to
either the information officer or deputy information officer.