1 ABOUT

This Privacy Policy governs the manner in which Momentum Group (‘we’, ‘our’, ‘us’, ‘Momentum Group’), a platform fully owned and managed by Momentum treats your personal information that is collected electronically when you use our website, which can be found at (www.momentumgroupltd.co.za), to apply online for certain products and services, contact us electronically or register for one of the services or products we offer on the website. This policy sets out the processing in accordance with the Protection of Personal Information Act (‘POPIA’) and other relevant laws. The Privacy Notice applies to any website, mobile application, form, document, product or service, which can be found on our website at https://www.momentumgroupltd.co.za.co.za/ which references this Privacy Notice. It also supplements any other privacy policies which may apply in respect of Momentum Group’s entities’ processing of personal information. This policy explains why we collect such personal information, what personal information is collected, and what we do (and do not do) with it. It also explains how you can change your personal information. Our privacy policy and privacy notice can be found on www.momentumgroupltd.co.za; www.momentum.co.za; www.guardrisk.co.za; www.metropolitan.co.za; www.multiply.co.za and www.eris.co.za (‘website’) respectively by clicking on the link titled “Privacy Policy” or “Privacy Notice” or “Policies” at the bottom of each of the pages of the websites listed above. We respect your privacy and your personal information and for this reason, we will take all reasonable measures, in accordance with this Policy, to protect your personal information to keep it confidential, even when you are no longer our client. We will maintain the confidentiality of your personal information and comply with the Protection of Personal Information Act 4 of 2013 (POPIA) in South Africa, the other related Data Protection Laws, regardless of which jurisdiction it originated from. This policy applies to South African entities within the Momentum Group of companies, its subsidiaries, operating divisions, business units, licensed entities, management-controlled entities and activities. Each subsidiary not located in South Africa will apply their relevant Data Protection law in their jurisdiction, and that specific Privacy Policy can be accessed for that related information.Momentum Group comprises of companies that provide, among others (but may not be limited to), the following products, and services: Advisory Services; Car and home insurance; Claims Processing; Claims Administration; Employee benefits; Financial services; Fiduciary Services; Health benefits; Life insurance; Loyalty rewards and benefits; Loyalty rewards and benefits based on fitness device interactions; Investment management services; Investment and savings; Medical aid; Medical schemes and pension fund administration; Managed care services; Retirement products; Payment products and services; Advanced Analytics; Insights and Research; Non-life Insurance services; Micro-life insurance. We briefly outline these principles below: Advisory Services; Car and home insurance; Claims Processing; Claims Administration; Employee benefits; Financial services; Fiduciary Services; Health benefits; Life insurance; Loyalty rewards and benefits; Loyalty rewards and benefits based on fitness device interactions; Investment management services; Investment and savings; Medical aid; Medical schemes and pension fund administration; Managed care services; Retirement products; Payment products and services; Advanced Analytics; Insights and Research; Non-life Insurance services; Micro-life insurance services. Applicable audience for this policy: A visitor to our website(s); Any user of our applications; A client who has any product or service or requested any product or service that we provide.

2 INFORMATION DISCLOSURE

2.1 - 2.17

2.1 What is personal information

Personal information refers to any information that identifies you or specifically relates to you. Personal information includes, but is not limited to, the following information about you: Your marital status (like married, single, divorced); your national origin; your age; your language; birth; education; Your financial information, which may include your financial history and information (like your income or your buying, investing, and banking behavior based on, amongst others, account transactions); Your identifying number (like an account number, identity number, or passport number); Your e-mail address; location information; physical address (like residential address, work address, or your physical location); and telephone number (including your cellular number, home landline, or office work number); Your online identifiers such as social media profiles; Your biometric information (like fingerprints, selfies, photos, face recognition, signature, or voice); Your race and/or gender; Your physical health; mental health; well-being; disability; religion; belief; conscience; culture (this also includes physical health tests and results based on wearable fitness devices); Your medical history (like your HIV/AIDS status and any medical history disclosed or obtained); criminal history; and employment history; Your personal views, preferences, and opinions; Your confidential correspondence; Another’s views or opinions about you and your name also constitute your personal information; CCTV footage (on our physical office premises and branches). However, personal information excludes: Information that has been anonymized so that it does not identify a specific person; Permanently de-identified information that does not relate or cannot be traced back to you specifically; Non-personal statistical information collected and compiled by us.

2.2 What is Special Personal Information?

Special personal information includes details about your religious and philosophical beliefs (for example, where you enter a competition and are requested to express your philosophical view); your race (such as when you apply for a product or service that requires statistical information to be recorded); your ethnic origin; your trade union membership; your political beliefs; your health (such as when you apply for an insurance policy or medical/health-related products, including health-related data obtained from fitness devices where applicable); your biometric information (such as for identity verification using fingerprints, selfies, photos, face recognition, signature, or voice); and/or your criminal behavior and alleged commission of an offense (such as to prevent money laundering as required by law or when you apply for employment or enter into a relationship with us).

2.3 How does Momentum Group collect Personal Information?

Momentum Group collects information directly from you, the data subject, the employer, or through financial services intermediaries. In some cases, third parties may be appointed to collect information on behalf of the company. If personal information is not obtained directly from the data subject, the source of the information will be disclosed. We may monitor and record any telephone calls you make to us unless you request us not to. Data collection may also include information from wearable fitness devices where applicable, and you will always be notified to grant access when required.

2.4 What type of Personal Information does Momentum Group collect?

Momentum Group collects personal information depending on the transaction, including your name; contact details; birth date; identity number; gender; employment details; voice recordings; email correspondence; marital and family details; policy details; location information; online identifiers; bank account details; medical or health information. The company will indicate the purpose of collection and whether the information required is compulsory or voluntary, as stated in application forms. If you have questions about the necessity of providing certain information, you can consult your advisor. Additionally, we may collect your health and fitness data through fitness devices for specific products. Third parties may assist in this collection, and the data will be limited to what is necessary for your product benefits. If you begin but do not complete an online application, we may use your provided information to remind you to finish the process.

2.5 Potential consequences of refusing to provide personal information

If you do not provide the required personal information, Momentum Group may be unable to offer products, services, or assistance with claims. For financial advisory services, not providing complete and accurate information could compromise the quality and appropriateness of the advice you receive. You are responsible for informing Momentum Group if your information changes.

2.6 When will we process your Personal Information?

Momentum Group processes personal information for lawful business purposes under the following circumstances: when you have consented (where applicable); when a legally authorized person, the law, or a court has given consent on your behalf; when processing is necessary to conclude or perform under a contract with you; when required or permitted by law (refer to our PAIA manual at https://www.momentumgroupltd.co.za/access-to-information); when necessary to protect or pursue legitimate interests of you, us, or a third party; when you are a child and a competent person (such as a parent or guardian) has consented on your behalf; or when you have granted a third-party application permission to collect data from your mobile or wearable device.

2.7 When will we process your Special Personal Information?

Momentum Group may process your special personal information under these conditions: if you have consented; if processing is required to create, use, or protect a legal right or obligation; if processing is for statistical or research purposes; if the information was made public by you; if processing is required by law; if racial information is needed for identification purposes; if you have permitted a third-party application to collect health and fitness data from your mobile or wearable device; if health data processing is necessary to determine insurance risk, comply with an insurance policy, or enforce an insurance-related right or obligation; or if sanctions screening reveals reports of alleged criminal conduct or proceedings.

2.8 Personal Information in the Public Domain

Information that a data subject makes publicly available on social media, online platforms, or any media publication remains public and is not protected by Momentum Group under POPIA. Clients should avoid sharing sensitive information publicly on chatrooms or social media forums, as such information cannot be protected. Only formal channels such as Momentum Group’s websites, call centers, and mobile apps are secured and governed under this Privacy Policy.

2.9 Reasons for Processing Your Personal Information

Momentum Group processes your personal information for various purposes, including: Products or services purposes such as payment processing; location tracking for "Safe Dayz" journeys; engagement with third parties like insurers, administrators, and brokers for underwriting, claims, and policy administration; coordination with trustees and executors; handling customer loyalty rewards programs; verifying identity and security; assessing affordability, credit scoring, and risk evaluation; Marketing purposes such as promotional campaigns, targeted offers, and direct marketing; Business purposes such as employee management; internal audits; accounting; business planning; joint ventures, acquisitions, and other transactions; Legal purposes such as compliance with law enforcement, fraud prevention, tax authorities, regulatory bodies, and court orders. Additionally, website usage data may be processed to remember user preferences; monitor visitor statistics; and track submissions in promotions and other activities.

2.10 Processing Information of a Child

Momentum Group prioritizes child privacy. Children under 18 require consent from a competent person (such as a parent or guardian) before submitting personal information. If we detect that a user is under 18, we will not process their information without legal consent. Processing a child’s personal information is permitted only under specific conditions, including where a parent or guardian consents; when necessary for legal obligations such as wills, trusts, or insurance policies; when made public by the child with parental consent; for research purposes; or when legally required.

2.11 Who is Responsible for Processing Your Personal Information?

Momentum Group is responsible for processing all personal information under POPIA laws. Selected third parties, including service providers and technical support firms, may assist with data processing. Any appointed operators performing specific functions for Momentum Group are required to maintain confidentiality and legal compliance.

2.12 Lawful Basis and Your Agreement to This Privacy Policy

Providing personal information is voluntary, but refusing to do so may prevent access to certain products or services. Momentum Group collects information in various ways, including via its website; mobile applications; statutory functions; business transactions; and legal or contractual obligations. The company employs reasonable security measures to protect personal information.

2.13 Obtaining Personal Information About Clients

Momentum Group collects personal data directly from clients; based on usage of products and services; through interactions on social media, emails, and surveys; from public sources; from third-party providers including insurers, financial institutions, and regulatory bodies; and from wearable fitness devices for loyalty rewards programs.

2.14 Retention of Data

Client data, including correspondence and voice recordings, is retained as long as the client relationship exists. If the relationship ends, data is only retained for the legally required period or for evidentiary purposes in compliance with POPIA.

2.15 Processing Information About Persons Related to a Juristic Person

If you represent a company, we may collect and process information about its directors, employees, owners, and other associated persons. By providing related persons' information, you confirm that they are aware and have consented.

2.16 Failing to Provide Personal Information

Refusing to provide personal information may prevent Momentum Group from offering services, providing accurate quotations, or processing claims efficiently. Failure to provide truthful and accurate data could result in service delays or claim denials.

2.17 Direct Electronic Marketing

Momentum Group may use personal information to market its products and services. Customers must opt in to receive marketing communications and may opt out at any time at no cost. Personal information is used for financial, insurance, and investment marketing through electronic channels, but it is never sold to third parties. Independent financial advisors operate separately from Momentum Group, and we do not control their direct marketing communications.

3 AUTOMATED DECISION MAKING, MACHINE LEARNING AND ARTIFICIAL INTELLIGENCE

In our commitment to transparency and accountability, this section of our privacy policy explains our use of Automated Decision Making (ADM) technologies, including profiling, in providing our products or services to you. ADM refers to decisions made solely based on the automated processing of personal information using software, algorithms, artificial intelligence or machine learning that do not involve human intervention.

3.1 Application of ADM

In our commitment to transparency and accountability, this section of our privacy policy explains our use of Automated Decision Making (ADM) technologies, including profiling, in providing our products or services to you. ADM refers to decisions made solely based on the automated processing of personal information using software, algorithms, artificial intelligence, or machine learning that do not involve human intervention.

3.2 Legal Bases and Your Rights

We may use ADM to provide you with products and/or services.

3.3 Good Practice Measures

We ground our use of ADM on a valid legal basis under applicable data protection laws, depending on the nature of the personal information involved. When ADM leads to decisions affecting you, you have the right to request human intervention; contest decisions made by ADM; express your point of view.

3.4 Ensuring Fairness and Accountability

To ensure the integrity and fairness of our ADM processes, we have adopted several best practices: Quality assurance and algorithmic auditing, involving regular checks and audits to confirm our systems and algorithms function fairly and accurately, avoiding unfair bias or discrimination; Data minimisation and anonymisation, where we apply strict data retention policies and use anonymisation or pseudonymisation techniques where appropriate; Human intervention, ensuring clear avenues for appealing automated decisions, including providing details for human review and a direct contact point for queries.

4 COOKIE NOTICE

Our commitment to these practices underlines our dedication to fairness, privacy, and respect for your rights in using ADM and profiling technologies. We continually review and refine these measures to align with best practices and legal standards. For more detailed information on your rights and how we implement ADM and profiling in our operations, please contact our information officer (details in section 15 below). We aim to enhance your experience while safeguarding your rights and data privacy in every interaction with our services.

4.1 What Are Cookies?

Cookies are used to enhance your experience when visiting our website. They help store information about your device and how you use the site, making navigation easier and improving functionality. For more information, visit Cookie Law Info and All About Cookies.

4.2 What Happens If You Disable Your Cookie Functionality?

A cookie is a small text file stored on your device by the website you visit. It helps the website remember information about your device and usage patterns. This allows us to make your visit to our site as seamless and useful as possible. Please refer to our cookie policy for more details.

4.3 Types of Cookies We Use

Clearing or disabling cookies may limit website functionality, including the features available when logged in. You can restrict cookie collection by disabling cookies in your browser or modifying settings to require permission each time a site attempts to set a cookie. However, as our website (and many others) rely on cookies for certain features, disabling them may result in some services not functioning properly.

4.4 What We Use Cookies For

There are two main types of cookies: session cookies, which are deleted when you close your browser; persistent cookies, which remain stored on your device until they expire or are manually deleted. Persistent cookies are sent back to us each time you visit our site.

4.5 Manage Your Cookie Preferences

We use cookies for session management; user device identification and classification; traffic routing; analytics.

4.6 Why Do We Use Cookies?

By using our website, you consent to the placement of cookies on your device. If you prefer not to use cookies while visiting our website, you can adjust your browser settings accordingly. For instructions on managing cookie settings, visit: Chrome; Safari; Firefox; Edge.

4.7 Is Your Personal Information at Risk?

Our website utilizes Google Analytics, a web analytics service provided by Google, to track and analyze visitor behavior and interactions. This enables website owners to gain insights into website traffic; user demographics; user behavior; conversion rates; and other website performance metrics. These insights help improve content, optimize user experience, and enhance website functionality. Google collects and stores this information but does not personally identify individual visitors.

5 WEB BEACONS

No, we do not store any personal information, including login details, passwords, or other sensitive data, on your device through cookies.

6 COLLECTING INFORMATION FROM YOUR BROWSER

Our website(s) may contain electronic image requests (called a single-pixel gif or web beacon request) that allows us to count page views and to access cookies. Any electronic image viewed as part of a webpage (including an ad banner) can act as a web beacon. Our web beacons do not collect, gather, monitor or share any of your personal information. We merely use them to compile anonymous information about our website.

7 CLOSE CIRCUIT TELEVISION (CCTV) FOOTAGE

We automatically receive and record Internet usage information on our server logs from your browser, such as your Internet Protocol address (IP Address), browsing habits, click patterns, version of software installed, system type, screen resolution, colour capabilities, plug-ins, language settings, cookie preferences, search engine keywords, JavaScript enablement, the content and pages that you access on the website, and the dates and times that you visit the website, paths taken, and time spent on sites and pages within the website (usage information). Please note that other websites visited before entering our website might place personal information within your URL during a visit to it, and we have no control over such websites. Accordingly, a subsequent website collects URL information may log some personal information.

8 LOCATION SERVICES

We use CCTV monitoring to assist in protecting the company’s employees and property. CCTV monitoring is only used to monitor public areas in the company. The information from the CCTV monitoring is only used for security and law enforcement, and to ensure public safety. The use of CCTV to monitor public areas will be done in a way that does not violate the rights of anyone who enters the company’s public areas. By entering any of the Momentum Group buildings, you consent to being recorded. The information and images collected from CCTV monitoring will be kept in a secure manner and only people who are authorised will have access to. The images and information collected by the CCTV belongs to the company.

9 MOBILE APPLICATIONS

We use location services for specific products and services through our websites and applications. The location services will only be switched on with the prior consent of the user. The use of location services is set out in the purpose of collection of data. Your location services are required only for specific products or services such as Safe Dayz TM. And this data is collected through the Momentum mobile application. By not enabling your location services it may affect your benefits on your specific product. In order for Momentum to receive your ongoing journey data, the following is required: For your cellphone's GPS setting to be switched on at all times; Frequent access to data and mobile internet services (cellular or wi-fi). Your location sharing settings can be updated at any time by yourself by updating this on your mobile device under your settings.

9.1 Health Connect for Android

Some mobile applications may use third parties to collect and share information with Momentum Group, specific to the products you have. This information may include your location services (see Location Services for details) and the collection of fitness/health data for Momentum and Multiply. For fitness data, the application uses data stored on the Health Connect application on Android devices or the Health application on iOS devices.

9.1.1 What Data Does Momentum and/or Multiply Collect?

Data accessed through Health Connect is regarded as personal and sensitive (special personal) information.

9.1.2 What Does Momentum and/or Multiply Do With Fitness Data?

Momentum and/or Multiply collects fitness activity data, which may include but is not limited to: daily steps; calorie workouts; gym visits; event participation; resting heart rate; heart rate variance; other fitness-related data logged by the device user. While using the Momentum and/or Multiply applications, and in order to provide features of the application and loyalty benefits, we may collect, with your prior permission: information regarding your location; fitness activity data (such as sleep, daily movement, active calories and workouts, resting heart rate, heart rate variance, heart rate recovery, gym visits, or related data); health measurements (including but not limited to glucose, blood pressure, cholesterol, and BMI). The data you choose to share may impact the rewards/benefits you get allocated. This is detailed in our privacy policy which can be found on our website at https://www.momentumgroupltd.co.za.co.za/.

9.1.3 How Does Momentum and/or Multiply Get the Fitness Data?

This data is used to analyze your fitness activity and track your fitness progress in relation to the rewards and benefits associated with your fitness activity.

9.1.4 Withdrawal of Sharing Consent for Fitness Data

The data is securely transferred from your mobile or wearable device with your permission to a third-party application. This ensures that Momentum and/or Multiply can access and use the data to assign your benefits and rewards.

9.1.5 Limited Usage of Fitness Data

You can withdraw access to the sharing of your fitness data at any time through your mobile or wearable device settings. Withdrawing consent to share the data with Momentum and/or Multiply may impact your benefit or reward allocation.

9.1.6 Managing Your Fitness Data on the Momentum and/or Multiply Application

Momentum and/or Multiply, as responsible parties, take all reasonable and appropriate steps to adhere to applicable data privacy and protection laws. Your fitness data will only be used for: benefit or reward allocation; fitness and health recommendations. Neither Momentum nor Multiply will sell or share your data with any third party, nor will your data be shared with a third party if it is not related to benefit or reward allocation or fitness and health recommendations. Momentum and Multiply ensure that all legal requirements, including data protection, are in place before sharing any information. All conditions in this policy apply to fitness data obtained from mobile or wearable devices.

10 CONFIDENTIALITY AND SECURITY

The fitness data that Momentum and/or Multiply collects is limited to the permissions you grant as a user. This is outlined in section 9.1.1. Momentum and/or Multiply will continue to obtain your fitness data as long as you remain a Momentum or Multiply member and have provided consent through your mobile or wearable device. This data is collected every time you log into the application. You have the right to request the deletion of your data by visiting the Momentum Data Privacy Page and completing the POPIA online request form.

10.1 Routine Precautions

Momentum Group has physical, technological, and procedural security safeguards in place and will use its best endeavors to protect your personal information.

11 YOUR PERSONAL INFORMATION

Personal information refers to information that identifies or relates specifically to you, which includes: your name; age; gender; identity number; your assets and liabilities; your income; your employment details; payment records; your contact details; your marital status; family information; bank account information; medical or health information; fitness activity data; your policy information. Any information about what you buy; where you shop; where you bank; how you invest; your health behavior; your health transactions; and all related information will also be regarded as personal information. In short, any information that we know about you will be regarded as your personal information.

11.1 Securing personal information

Momentum Group will take all reasonable technical and organisational precautions to prevent the loss,misuse or alteration of your personal information. The company will store all the personal information in secured environments, for example on secured servers in a protected data centre.

11.2 Managing Data Privacy at Momentum Group Board Level and Reporting Frequency

The Momentum Group Board Risk Capital and Compliance Committee (BRCC) is a sub-committee of the Board that is accountable to address and manage the risk of data privacy and cyber security. The BRCC follows the board cycle and convenes on a quarterly basis. The Momentum Group Chief Digital and Transformation Officer (CDTO) is the business representative on BRCC for data privacy, data security and cyber security through the support of the Momentum Group Chief Privacy Officer. The Momentum Group Chief Risk Officer provides guidance and input regarding appropriate Risk Management.

11.3 Employee Training on Cyber Security and Data Privacy

Employee Training on Cyber Security and Data Privacy forms part of ongoing compliance training. Cyber Security training is currently further required as a basic compliance training that all employees must complete. As part of the Data Privacy management, there is a specific focus on training, awareness as well as communication that will cover data privacy, data security and more detailed cyber security training as mandatory compliance training to all staff. The POPIA management programme is actively managed at Momentum Group level with participation of all business entities and subsidiaries of Momentum Group.

11.4 Centralised Cyber Security and Data Security Functions and Coordination

To address cybersecurity and data privacy, two separate centralised functions exist within Momentum Group. The IT Security environment manages cybersecurity as a capability, while the Data Management environment handles data privacy and extended data security and privacy, enabled through IT security. These two functions report to the Group Exco and are coordinated to work closely together to ensure coordinated efforts in delivering on relevant requirements.

11.5 Third Parties

We do not exercise control over affiliate parties' privacy policies regarding personal information and third parties. Because we are not responsible for any representations, information, warranties, or content on any affiliate party's website (including websites linked to this website or facilitated by us), we do not control affiliate parties' privacy policies. You should refer to the privacy policy of any affiliate party to understand how they protect your privacy..

11.6 Sharing your Information

Your privacy is important to us. We will not sell, rent, or provide your personal information to unauthorised entities or third parties for independent use without your consent, unless required by contract between Momentum Group and yourself. We may disclose your personal information to the following third parties: other companies within the Momentum Group; selected third parties providing services such as technical support, website hosting, back-office services, analytics, marketing, and distribution of Momentum Group products and services; professional advisers, judicial, regulatory, and law enforcement bodies; a third party acquiring all or part of our assets, shares, or business operations, whether through merger, acquisition, or reorganisation. To ensure that we meet your needs, we may collect and analyse your personal information and combine it with other information we have about you to compile a profile for personalised services. Once we have collected and analysed your personal information, we may send you promotional material or details relevant to you. If promotional information relates to affiliate party products, promotions, news, or services, and you express interest, we may inform the affiliate party to contact you directly. This will only happen if you have agreed to it. If, at any stage, after giving consent, you no longer wish for us to use or share your personal information with an affiliate party, you may withdraw your consent. Withdrawing consent for affiliated third parties may impact our offering to you, and this will be explained upon your request. In all cases, we will ensure we have a lawful basis for sharing information and will document our decision-making. Should access to your information be requested under the Promotion of Access to Information Act, No. 2 of 2000 (PAIA), we will notify you in accordance with PAIA terms. On rare occasions, we may be legally required to disclose your personal information. In such cases, we reserve the right to disclose personal information to comply with legal obligations, including court orders, warrants, subpoenas, service of process requirements, or discovery requests. We may also disclose user data to law enforcement officers or others in good faith, if necessary, to enforce this Privacy Policy, respond to claims that content violates third-party rights, or protect our rights, property, and personal safety, as well as the safety of our employees, clients, or the general public.

11.7 Cross Border Sharing

We will only transfer your personal information to third parties in another country under the following circumstances: where your personal information is adequately protected under the other country’s laws or an agreement with the third-party recipient; where the transfer is necessary to enter into or perform a contract with you or a contract with a third party in your interest; where you have consented to the transfer; where it is not reasonably practical to obtain your consent, and the transfer is in your interest. This transfer will comply with all legal requirements and safeguards. Where possible, the recipient of your personal information in another country will agree to apply the same level of protection as required by law in your country. If the other country’s laws provide better protection, those laws will be applied. An example of cross-border data transfer would be when you make payments for goods or services in a foreign country. PLEASE NOTE: As Momentum Group operates in multiple countries, your personal information may be shared within Momentum Group entities in other countries and processed in those countries to fulfil contractual obligations.

12 RIGHTS OF DATA SUBJECTS

You have the ability to exercise your rights in terms of POPIA by visiting our website on www.momentum.co.za/momentum/support/privacy-policy and following the prompts on either the "Online POPIA Requests" or the "POPIA Request Forms" to submit your requests in terms of the below. In terms of data privacy laws, you have certain rights including the right to: review, or request access or copies of your Personal Information, which is within our custody and control, together with details about how we use that information. If you think any of the Personal Information that we hold about you is inaccurate, you may also request that we correct or rectify it; in certain circumstances, to require us to stop processing your Personal Information; to request that we delete or erase Personal Information in certain circumstances (such as in accordance with local data retention legal obligations); withdraw any consent to processing that you have given us and prevent further processing if there is no other legitimate ground upon which we can process your Personal Information; restrict processing: you can require certain Personal Information to be marked as restricted for processing in certain circumstances; data portability, i.e., you can ask us to transmit the Personal Information that you have provided to us to a third party; object to automated decision-making, including profiling; and lodge a complaint with the relevant data protection regulator if you think we are in breach of any applicable data protection legislation. In relation to all of these rights, please email us at the email address set out in paragraph 15 below. Please note that we may, where permitted under applicable law, charge a small administrative fee and/or request proof of identity. We will respond to your requests within all applicable timeframes. In certain circumstances (for example, where required or permitted by law), we might not be able to provide you with access to some of your Personal Information, but where appropriate, we will notify you of the reasons for this. You have the right to be informed in writing by the company as soon as reasonably possible of any breach or suspected breach. The notification must contain enough information to allow the data subject to take protective measures against the potential consequences of the breach. You also have a duty to inform us of any changes to your Personal Information. It is important that the Personal Information we hold about you is accurate and current. Please keep us informed if your Personal Information changes during your working relationship with us.

13 CHANGES TO PRIVACY POLICY

Perusing amendments to the policy. Our right to amend this Privacy Policy. We reserve the right, in our sole discretion to amend (including without limitation, by the addition of new terms and conditions) this Privacy Policy from time to time. You agree to review the Privacy Policy whenever you visit this website for any such amendments. Save as expressly provided to the contrary in this Privacy Policy, the amended version of the Privacy Policy shall supersede and replace all previous versions thereof.

14 WHICH LAWS APPLY?

This Privacy Policy will be governed by and construed and interpreted in accordance with the laws of South Africa. To the extent that a court has jurisdiction over any dispute which may arise out of or in connection with this Privacy Policy, we both submit to the jurisdiction of the South African courts. Outside of South Africa we do operate in Guernsey, Ghana, Botswana, United Kingdom, Lesotho, Namibia, Mozambique, Mauritius and the applicable privacy laws apply in those countries and jurisdictions of the relevant courts.

15 GET IN TOUCH - COMPLIMENTS OR REQUESTS

Name of the Information Officer: Jeanine Norden; Postal Address: PO BOX 7400, Centurion, 0046; Physical Address: 268 West Ave, Die Hoewes, Centurion, 0157; Email Address: dataprivacy@mmltd.co.za.

15.1 Contact details of the POPIA Information Officer of Momentum Group:

https://www.momentumgroupltd.co.za/privacy-notice; https://www.momentum.co.za/momentum/support/privacy-policy; https://guardrisk.co.za/privacy-notice/; https://www.eris.co.za/privacy-policy/; https://www.metropolitan.co.za/legal/terms-privacy/#privacy-policy

15.2 Privacy Website URLs:

Postal Address: PO BOX 7400, Centurion, 0046; Physical Address: 268 West Ave, Die Hoewes, Centurion, 0157; Telephone Number: +27 (0) 12 065 0445; Internet site URL: www.momentumgroupltd.co.za.

15.3 General contact details of Momentum Group:

Should you believe that Momentum Group has utilised your personal information contrary to Applicable Laws, you undertake to first attempt to resolve any concerns directly with Momentum Group. If you are not satisfied with the outcome of this process, you may have the right to lodge a complaint with the Information Regulator using the contact details in 16.1 below

16 COMPLAINTS

16.1

16.1 Information Regulator Contact details:

The Information Regulator (South Africa); Physical Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001; Postal Address: P.O. Box 31533, Braamfontein, Johannesburg, 2017; Phone: 010 023 5200; Complaints Email: POPIAComplaints@inforegulator.org.za; General Enquiries Email: enquiries@inforegulator.org.za; Website: https://inforegulator.org.za/.

17 PUBLIC PRIVACY POLICY

17.1 - 17.2

17.1 Document Control

17.1.1 - 17.1.2

17.1.1 Key Document Summary:

Document Status and Version: Final, Version 6.0; Document Owner: Jeanine Norden, Chief Privacy Officer.

17.1.2 Document Version History

Date: 03/2023; Version: 3.1; Author / Reviewers: Reviewed, updated, and published on Internet site; Action / Comment: Minor changes and corrections; Date: (unspecified); Version: 4.0; Author / Reviewers: Reviewed, updated, and published on Internet site; Action / Comment: Updated to cater for Multiply app and user rights; Date: 03/24; Version: 5.0; Author / Reviewers: Update with Momentum Application consent, updated with automated decision-making; Action / Comment: Updated to cater for the Momentum app and user rights; Date: 07/24; Version: 6.0; Author / Reviewers: Branding update; Action / Comment: Update to Momentum Group branding.

17.2 Executive Committee Review and Approval History

Date: 04/23; Reviewer/Approval Sub-Committee: Data Privacy Steering Committee; Action: Approved; Version: v4.0; Date: (unspecified); Reviewer/Approval Sub-Committee: Data Privacy Steering Committee; Action: Approved; Version: v5.0; Date: (unspecified); Reviewer/Approval Sub-Committee; Action: Approved content of V5; Version: v6.0.