Privacy Policy

Applicable to: Applied Optimisation (Pty) Ltd & Applied Optimisation UK Ltd
Compliance Standards: POPIA (South Africa), GDPR (EU), UK GDPR (United Kingdom)

1. Introduction and Scope

1.1. This policy governs the collection, use, and protection of Personal Information by the Ayoh Group.

1.2. The "Ayoh Group" refers to:

• South Africa: Applied Optimisation (Pty) Ltd (Reg: 2022/672322/07) (“AYOH SA”).
• United Kingdom: Applied Optimisation UK Ltd (Reg: 14970295) (“AYOH UK”).

1.3. We are committed to protecting the privacy of our employees, clients, and partners. This policy explains how we process data in compliance with the Protection of Personal Information Act (POPIA) in South Africa, the UK General Data Protection Regulation (UK GDPR), and the EU General Data Protection Regulation (EU GDPR).

2. Definitions and Interpretation

To ensure global compliance, the following terms are used interchangeably:

• “Controller” / “Responsible Party”: The entity that decides how and why data is processed (AYOH).
• “Data Subject”: The individual to whom the information relates (You).
• “Personal Information” / “Personal Data”: Any information relating to an identified or identifiable natural person.
• “Processing”: Collecting, recording, organising, structuring, storing, adapting, or disclosing data.

3. Information Officer / Data Protection Representative

AYOH has appointed an Information Officer (SA) who also serves as the point of contact for GDPR (UK/EU) inquiries.

• Information Officer: Michael
• Email: michael@ayoh.group
• Deputy Information Officer: Ross
• Email: ross@ayoh.group

4. The Data We Collect

We collect and process the following categories of data:

4.1. Identity Data: Name, username, marital status, title, date of birth, gender.

4.2. Contact Data: Billing address, delivery address, email address, telephone numbers.

4.3. Financial Data: Bank account and payment card details (processed securely via third-party providers).

4.4. Technical Data: Internet Protocol (IP) address, browser type and version, time zone setting, browser plug-in types, operating system, and platform.

4.5. Special Personal Information: (As defined in POPIA/GDPR Art. 9) We only collect sensitive data (e.g., health, biometrics for security, or biometric identification) when strictly required by law (e.g., employment equity) or with explicit consent.

5. Lawful Basis for Processing (GDPR/UK GDPR Requirement)

Under UK and EU data protection laws, we must have a "lawful basis" for processing your data. We process your data based on:

5.1. Contractual Necessity: Processing is necessary to perform a contract with you (e.g., providing our optimisation services or employment contracts).

5.2. Legal Obligation: We are required by law to process your data (e.g., SARS tax records in SA, HMRC records in the UK).

5.3. Legitimate Interests: Necessary for our legitimate business interests (e.g., network security, fraud prevention, keeping records updated), provided your rights do not override these interests.

5.4. Consent: In specific circumstances (such as direct marketing to new contacts), we will ask for your explicit consent. You may withdraw this consent at any time.

6. How We Use Your Data (Purpose)

We process data for the following purposes:

6.1. To register you as a new customer or employee.

6.2. To process and deliver our services and products.

6.3. To manage our relationship with you (notifying you of changes to terms or privacy policy).

6.4. To administer and protect our business and website (troubleshooting, data analysis, testing, system maintenance).

6.5. To deliver relevant website content and advertisements (marketing) and measure the effectiveness of the advertising.

6.6. Security: Monitoring and securing assets, employees, and visitors (including CCTV or biometric access control where applicable).

7. International Data Transfers

As Ayoh Group operates in South Africa and the United Kingdom, data may be transferred across borders.

7.1. Transfer from UK/EU to South Africa: South Africa is not currently deemed "adequate" by the UK/EU authorities implicitly. Therefore, any transfer of data from our UK entity to our SA entity is protected by Standard Contractual Clauses (SCCs) or the International Data Transfer Agreement (IDTA) approved by the UK Information Commissioner's Office (ICO).

7.2. Transfer from South Africa to UK: The UK provides an adequate level of protection similar to POPIA, allowing for lawful transfer.

7.3. General: We ensure that any third-party provider (e.g., cloud storage, CRM) hosting data outside your country of residence complies with the relevant data protection laws.

8. Data Retention

8.1. We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

8.2. Specific retention periods are outlined in our internal Data Retention Schedule (e.g., tax records are kept for 5 years in SA / 6 years in the UK).

8.3. Once the retention period expires, data is securely deleted or anonymised.

9. Your Rights

Under POPIA and GDPR, you have the following rights:

9.1. Right of Access: Request a copy of the personal data we hold about you.

9.2. Right to Correction: Request correction of inaccurate or incomplete data.

9.3. Right to Erasure ("Right to be Forgotten"): Request us to delete your data where there is no good reason for us to continue processing it (Subject to legal record-keeping obligations).

9.4. Right to Object: Object to processing of your personal data where we are relying on a legitimate interest and there is something about your situation which makes you want to object.

9.5. Right to Restriction: Ask us to suspend the processing of your personal data.

9.6. Right to Data Portability: Request the transfer of your data to you or a third party in a structured, commonly used, machine-readable format.

9.7. Right to Withdraw Consent: Where we are relying on consent to process your data.

To exercise any of these rights, please contact the Information Officer at michael@ayoh.group.

10. Data Security

10.1. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way.

10.2. Access to your personal data is limited to those employees, agents, contractors, and other third parties who have a business need to know.

10.3. Breach Notification: We will notify you and the applicable regulator (The Information Regulator in SA or the ICO in the UK) of a breach where we are legally required to do so, without undue delay (within 72 hours where feasible under GDPR).

11. Third-Party Disclosures

We may share your data with:

11.1. Service providers acting as processors who provide IT and system administration services.

11.2. Professional advisers including lawyers, bankers, auditors, and insurers.

11.3. Regulators and other authorities (SARS, HMRC) who require reporting of processing activities in certain circumstances.

11.4. Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.

12. Updates to This Policy

We verify our privacy policy annually. The last update was on 13/02/2026

---

ANNEXURE A: SOUTH AFRICAN SPECIFIC LEGISLATION

In accordance with South African law, AYOH retains records in compliance with the following Acts where applicable:

1. Basic Conditions of Employment Act, No. 75 of 1997
2. Broad-Based Black Economic Empowerment Act, No. 53 of 2003
3. Companies Act, No. 71 of 2008
4. Compensation for Occupational Injuries and Health Diseases Act, No. 130 of 1993
5. Consumer Protection Act, No. 68 of 2008
6. Electronic Communications and Transactions Act, No. 25 of 2002
7. Employment Equity Act, No. 55 of 1998
8. Labour Relations Act, No. 66 of 1995
9. National Credit Act, No. 34 of 2005
10. Occupational Health and Safety Act, No. 85 of 1993
11. Skills Development Act, No. 97 of 1998
12. Unemployment Insurance Act, No. 30 of 1996
13. Value Added Tax Act, No. 89 of 1991