Privacy Policy

LAST UPDATED: 1 June 2026

PREAMBLE

This Privacy Policy ("Policy") is issued by Kora Consulting (Pty) Ltd (Registration No. K2025980746) ("Kora Consulting", "the Company", "we", "us", or "our"), a private company duly incorporated under the Companies Act 71 of 2008, with its registered office at Sandton, Johannesburg, 2196.

This Policy is issued pursuant to, and in compliance with, the Protection of Personal Information Act 4 of 2013 ("POPIA"), the Electronic Communications and Transactions Act 25 of 2002 ("ECTA"), the Consumer Protection Act 68 of 2008 ("CPA"), and all other applicable South African legislation and common law principles governing the processing of personal information.

This Policy governs the manner in which the Company collects, receives, records, organises, stores, updates, uses, disseminates, and destroys personal information in the course of its consulting operations, website interactions, recruitment activities, client engagements, and all other business functions.

This Policy must be read alongside the Company's PAIA Manual, which is a separate document governing public access to records held by the Company in terms of the Promotion of Access to Information Act 2 of 2000. The PAIA Manual is available at www.koraconsulting.co.za. Where a matter is specifically regulated by the PAIA Manual, this Policy does not duplicate those provisions but incorporates them by reference.

BY ENGAGING WITH THE COMPANY'S SERVICES, WEBSITE, COMMUNICATIONS, OR RECRUITMENT PROCESSES, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS POLICY AND CONSENT TO THE PROCESSING OF YOUR PERSONAL INFORMATION AS DESCRIBED HEREIN. IF YOU DO NOT AGREE, YOU MUST CEASE ALL INTERACTION WITH THE COMPANY IMMEDIATELY.

1.   DEFINITIONS AND INTERPRETATION

1.1   In this Policy, unless the context indicates otherwise, the following terms bear the meanings assigned to them:

        "Act"  means the Protection of Personal Information Act 4 of 2013, as amended

"Biometric Information"  means personal information of a biological nature, including fingerprints, DNA, retinal scans, voice recognition, and facial recognition

"Company"  means Kora Consulting (Pty) Ltd (Registration No. K2025980746)

"Consent"  means any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information

"Data Subject"  means the natural or juristic person to whom personal information relates

"De-identify"  means to delete any information that identifies the data subject or could reasonably be used to identify them, while retaining the information in a form that may be re-identified

"Information Officer"  means Seqobela Nthato Leboli, in his capacity as Managing Director, or such other person designated from time to time in terms of section 55 of the Act

"Operator"  means a person who processes personal information for the Company under a contract or mandate, without coming under the Company's direct authority

"Personal Information"  means information relating to an identifiable, living, natural person, and where applicable an identifiable existing juristic person, as defined in section 1 of the Act

"Processing"  means any operation concerning personal information, including collection, receipt, recording, organisation, storage, updating, retrieval, use, dissemination, merging, blocking, erasure, or destruction

"Responsible Party"  means Kora Consulting (Pty) Ltd, which determines the purpose of and means for processing personal information

"Special Personal Information"  means personal information concerning religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behaviour

"Website"  means the Company's website at www.koraconsulting.co.za and all associated pages and subdomains

1.2   In this Policy: the singular includes the plural and vice versa; a reference to any gender includes all genders; a reference to a natural person includes a juristic person and vice versa; a reference to legislation includes any amendment or re-enactment thereof.

2.   RESPONSIBLE PARTY

2.1   The responsible party for all personal information processed by or on behalf of the Company is Kora Consulting (Pty) Ltd. The Information Officer has been duly designated in terms of section 55 of the Act and is responsible for encouraging compliance with POPIA, managing data subject requests, and liaising with the Information Regulator.

2.2   The Company is registered with the Information Regulator of South Africa in terms of POPIA. For access to records held by the Company in terms of PAIA, please refer to the Company's PAIA Manual, available at www.koraconsulting.co.za.

3.   SCOPE AND APPLICATION

3.1   This Policy applies to all personal information processed by the Company, regardless of the medium in which such information is held, including digital records, cloud-stored data, hard-copy files, and correspondence.

3.2   This Policy applies to all categories of data subjects whose personal information the Company processes, including:

• Clients and their authorised representatives;
• Prospective clients and business development contacts;
• Team members;
• Service providers, suppliers, and professional advisors;
• Visitors to and users of the Website;
• Any other persons whose personal information is processed by the Company in the ordinary course of its operations.

3.3   This Policy does not apply to the processing of personal information by third-party websites linked to from the Company's Website. The Company is not responsible for the privacy practices of third parties. Users are encouraged to review the privacy policies of any third-party website they visit.

4.   LEGAL BASIS FOR PROCESSING

4.1   The Company processes personal information only where a lawful ground for processing exists. The applicable lawful grounds, as provided for in section 11 of the Act, are:

• The data subject has given their voluntary, specific, and informed consent to the processing for a defined purpose;
• Processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
• Processing is required to comply with a legal obligation imposed on the Company;
• Processing is necessary to protect the legitimate interest of the data subject;
• Processing is necessary for the pursuit of the legitimate interests of the Company or a third party to whom the information is supplied, and such interests are not overridden by the rights and interests of the data subject.

4.2   Where the Company relies on consent as the basis for processing, data subjects are entitled to withdraw their consent at any time, without prejudice to the lawfulness of processing conducted prior to withdrawal. Withdrawal may be effected by written notice to the Information Officer.

4.3   The Company does not process Special Personal Information except where expressly permitted by sections 26 to 32 of the Act. The Company does not knowingly process the personal information of persons under the age of 18 except where permitted by section 35 of the Act and with the consent of a competent person.

5.   CATEGORIES OF PERSONAL INFORMATION COLLECTED

5.1   The categories of personal information collected by the Company depend on the nature of the data subject's relationship with the Company. The Company collects only such personal information as is adequate, relevant, and not excessive in relation to the purpose of collection.

5.2   Clients and Client Representatives

• Full names, identity or passport numbers, and contact details;
• Company registration numbers, VAT numbers, and B-BBEE compliance information;
• Banking details for invoicing and payment processing;
• Correspondence, instructions, and engagement-related communications;
• Information contained in signed engagement agreements, non-disclosure agreements, and related instruments.

5.3   Team Members

• Full names, identity numbers, and residential addresses;
• Qualifications, certifications, and professional credentials;
• Banking details, tax reference numbers, and payroll-related information;
• Performance records and engagement documentation.

5.4  Prospective Candidates

• Full names, identity numbers, and contact details;
• Curriculum vitae, qualifications, and professional credentials;
• Reference letters, governance certifications, and declarations of interest;
• Any documentation submitted as part of a formal board application.

5.5   Website Visitors

• IP addresses, browser type and device information, automatically collected through standard web server technology;
• Contact form submissions including name, email address, company name, and enquiry content;
• Cookie and tracking data as further described in the Company's Cookie Policy, available at www.koraconsulting.co.za.

6.   PURPOSE OF PROCESSING

6.1   The Company processes personal information only for the following specific, explicit, and lawful purposes:

• To conclude, perform, and administer engagement agreements with clients, including the delivery of management consulting, financial analysis, market research, risk advisory, and operational improvement services;
• To manage employment and engagement relationships, including payroll administration, performance management, and statutory labour compliance;
• To conduct the recruitment, assessment, and appointment of prospective team members, including the processing of applications and reference checks;
• To comply with all applicable statutory and regulatory obligations, including those arising under the Companies Act 71 of 2008, the Income Tax Act 58 of 1962, the Basic Conditions of Employment Act 75 of 1997, the Labour Relations Act 66 of 1995, and applicable anti-money laundering legislation;
• To process payments and manage the Company's financial obligations;
• To conduct business development activities, including the preparation and submission of proposals to prospective clients;
• To respond to enquiries submitted through the Website or other channels;
• To exercise or protect the legal rights and legitimate interests of the Company.

6.2   The Company does not process personal information for purposes incompatible with those set out in section 6.1 above. Any proposed further processing for a new purpose will be assessed for compatibility before it takes place.

7.   DISCLOSURE OF PERSONAL INFORMATION

7.1   The Company does not sell, rent, or trade personal information to any third party for commercial purposes.

7.2   Personal information may be disclosed to the following categories of third parties, strictly to the extent necessary for the purposes described in section 6:

7.3   Regulatory and Governmental Authorities

• South African Revenue Service (SARS) for tax compliance;
• Companies and Intellectual Property Commission (CIPC) for statutory company filings and beneficial ownership disclosure;
• Information Regulator of South Africa for POPIA compliance and PAIA annual reporting;
• Department of Employment and Labour for UIF and other statutory obligations;
• Any court, tribunal, or regulatory authority pursuant to a lawful order or legal process.

7.4   Operators

The Company may engage operators to process personal information on its behalf, including cloud storage providers, accounting software platforms, payroll systems, and professional service providers. All operators are contractually required to: process information only on the Company's written instructions; maintain equivalent security measures; not sub-contract processing without the Company's written consent; and comply with all applicable provisions of the Act.

7.5   Professional Advisors

The Company may disclose personal information to its legal advisors, auditors, and accountants on a strictly confidential and need-to-know basis for the provision of professional services.

7.6   All disclosures within the Company's team are made on a strict need-to-know basis only, limited to personnel who require the information to perform their duties.

8.   TRANSBORDER FLOWS OF PERSONAL INFORMATION

8.1   The Company does not currently transfer personal information outside the Republic of South Africa. All personal information is processed and stored within South Africa.

8.2   Should a transborder transfer be contemplated in the future, it shall only be effected in full compliance with section 72 of the Act, which requires that the recipient jurisdiction provides an adequate level of protection equivalent to that afforded by the Act, or that the data subject has consented to the transfer. This Policy will be updated to reflect any such transfer before it takes effect.

9.   SECURITY SAFEGUARDS

9.1   The Company implements appropriate, reasonable, technical, and organisational measures to secure the integrity and confidentiality of all personal information in its possession, pursuant to section 19 of the Act. These measures are designed to prevent loss of, damage to, unauthorised destruction of, or unlawful access to personal information.

9.2   Current security measures include:

• Password-protected and two-factor-authenticated access to all company email accounts and file storage systems via Google Workspace;
• Role-based and need-to-know access controls limiting access to sensitive personal information to authorised personnel;
• Confidentiality obligations imposed on all team members and associate consultants through engagement contracts and internal policy;
• Regular review of access permissions and security configurations as the Company grows.

9.3   In the event of a security compromise likely to result in harm to a data subject, the Company shall notify the Information Regulator and affected data subjects as required by section 22 of the Act, providing a description of the possible consequences of the compromise and the remedial steps taken.

9.4   All operators engaged by the Company are contractually required to implement security measures at least equivalent to those maintained by the Company itself.

10.   RETENTION AND DESTRUCTION OF PERSONAL INFORMATION

10.1   Personal information is retained only for as long as is necessary to fulfil the purpose for which it was collected, or as required by applicable legislation. The Company's general retention periods are as follows:

10.2   The Company may retain personal information beyond the periods specified above where retention is required by law, the information is the subject of ongoing legal proceedings, or the data subject has consented to extended retention. Upon expiry of the applicable retention period, personal information shall be securely destroyed or de-identified.

11.   RIGHTS OF DATA SUBJECTS

11.1   Subject to the limitations and exceptions in the Act, data subjects enjoy the following rights in respect of personal information processed by the Company. These rights are in addition to the right of access to records governed by the PAIA Manual.

11.2   Right to Notification (s18 of the Act)

The right to be informed of the purpose of collection, the identity of the responsible party, and all other information prescribed in section 18 of the Act, at or prior to the time of collection.

11.3   Right of Access (s23 of the Act)

The right to request confirmation of whether the Company holds personal information about the data subject, and to request a description of that information. Requests must be submitted in writing to the Information Officer. Requests for access to records are governed by the PAIA Manual.

11.4   Right to Correction or Deletion (s24 of the Act)

The right to request the correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully. The Company shall comply with a valid request as soon as reasonably practicable.

11.5   Right to Object (s11(3) of the Act)

The right to object, on reasonable grounds, to the processing of personal information in circumstances where processing is based on the legitimate interests of the Company. Upon receipt of a valid objection, the Company shall cease processing unless it can demonstrate compelling legitimate grounds that override the data subject's rights.

11.6   Right to Withdraw Consent

Where processing is based on consent, the right to withdraw that consent at any time by written notice to the Information Officer. Withdrawal shall not affect the lawfulness of processing conducted prior to withdrawal.

11.7   Right to Lodge a Complaint

The right to lodge a complaint with the Information Regulator of South Africa where the data subject believes that the Company has processed their personal information in contravention of the Act. The Information Regulator's contact details are:

Email: inforeg@justice.gov.za

Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

Website: www.inforegulator.org.za

11.8   All requests in terms of this section 11 must be submitted in writing to nthato@koraconsulting.co.za or info@koraconsulting.co.za. The Company will respond within 30 (thirty) calendar days of receipt of a valid request, unless an extension is warranted by the Act.

12.   AMENDMENTS AND UPDATES

12.1   The Company reserves the right to amend this Policy at any time. Amendments take effect upon publication of the updated Policy on the Website. Data subjects are encouraged to review this Policy periodically. Where an amendment materially affects the processing of existing data subjects' personal information, the Company will take reasonable steps to notify those data subjects prior to the amendment taking effect.

12.2   This Policy must be read together with the Company's PAIA Manual, Terms of Use, and Cookie Policy, all of which are available at www.koraconsulting.co.za.

13.   GOVERNING LAW

This Policy is governed by the laws of the Republic of South Africa. Any dispute arising herefrom shall be subject to the jurisdiction of the courts of the Republic of South Africa.