PRIVACY POLICY

  1. CO3 TECHNOLOGIES (PTY) LTD
    1. CO3 Technologies (Pty) Ltd is a company duly registered in accordance with the laws of the Republic of South Africa.
  2. INTRODUCTION AND SCOPE
    1. CO3 Technologies (Pty) Ltd (“CO3”, “we”, “us”, “our”) strive to ensure that our use of the Personal Information of data subjects is lawful, reasonable, and relevant to our business activities, with the ultimate goal of improving your experience as a customer or employee of CO3.
    1. popia@co3.co.za to discuss this Privacy Policy, your rights under data protection laws applicable to you, and to raise any complaints with us. Further contact information and contact forms are available in our PAIA Manual.
    1. We offer (among others) the following services (“our Services”):
      1. the sale and licensing of enterprise resource planning software systems and related information technology products and services;
      1. support and implementation concerning the above software and information technology systems.
    1. We collect Personal Information about you when you:
      1. contract with us for our above Services;
      1. access our Website, applications or related software systems;
      1. contact us, or otherwise interact with us; and/or
      1. join CO3 as an agent, sales associate, or employee.
    1. By providing us with your Personal Information, you:
      1. agree to this Privacy Policy and authorise us to process such information as set out herein; and
      1. authorise CO3, our Associates, our Service Providers and other third parties to Process your Personal Information for the purposes stated in this Privacy Policy.
    1. This Privacy Policy explains how we will treat your Personal Information whether provided by you to us or collected by us through other means in your ordinary use of our Services, and our Website. This Privacy Policy describes our approach and practices in respect of your Personal Information and our treatment thereof.
    1. This Policy applies to all external parties with whom we interact, including but not limited to individual customers, representatives of customer organisations, visitors to our offices, and other users of our Services.
    1. This Privacy Policy must be read together with our Website terms and conditions and any other documents, agreements or privacy notices that describe the manner in which we, in specific circumstances, collect or process Personal Information about you. This will enable you to understand how CO3 will process your Personal Information.
    1. ThisPrivacy Policy supplements such other documents and agreements, but shall not supersede them and in the event of a conflict, the terms of the particular document or agreement will prevail.
  3. ?
    1. We may collect, acquire, receive, record, organise, collate, store, update, change, retrieve, read, process, analyse, use and share your Personal Information in the manner as set out in this Privacy Policy. When we perform one or more of these actions, we are “Processing” your Personal Information.
    1. “Personal Information” refers to private information about an identifiable living natural or juristic person. Personal Information does not include information that does not identify a person or anonymized information.
    1. The Personal Information we collect may differ according to the Services you receive from CO3. We may process various categories of Personal Information as follows:
      1. Identity Information, when registering as a customer, including information concerning your name, company name, identity and registration numbers, title, date of birth, gender, and legal status, languages, physical address;
      1. Contact Information, which includes your billing address, service addresses, physical address, email address and telephone numbers;
      1. Credit Information, to assess our transactional risk, including credit history reports from credit bureaus (with your consent where required by law);
      1. Criminal behaviour history, where permitted in respect of prospective employees and job applicants;
      1. Financial Information, where permitted, including bank account details, and financial statements;
      1. Human Resources in respect of our own employees, including leave records, job applications, medical aid information to administer employment contracts and comply with our legal obligations;
      1. Instruction Details, which includes details of customers instructing CO3 to procure goods or services on their behalf, including Personal Information included in correspondence, documents, sales agreements or evidence materials that we process in the course of providing our Services;
      1. Tax Information where permitted, which includes IRP5 records, PAYE records and VAT registration numbers;
      1. Technical Information, which includes your internet protocol (IP) address, browser type and version, time zone setting and location, operating system and platform, on the devices you use to access our Website, products or Services.
      1. Usage Information, which includes information as to your access to and use of our Website, products and Services.
      1. Marketing and Communications Information, which includes your preferences in respect of receiving marketing information from us and your communication preferences.
    1. We also process, collect, store and/or use aggregated data, which may include historical or statistical data (“Aggregated Data”) for any purpose. Aggregated Data is not considered Personal Information as this data does not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your Personal Information in a manner that can identify you, we will treat the combined data as Personal Information, which will be managed per this Privacy Policy.
  4. SPECIAL PERSONAL INFORMATION
    1. Where we need to process your Special Personal Information, we will do so in the ordinary course of our business, for a legitimate purpose, and per applicable laws.
  • HOW WE COLLECT PERSONAL INFORMATION?
    • You directly provide CO3 with most of the Personal Information we process. We collect and process Personal Information in the following ways, namely:
      • through direct or active interactions with you;
      • through passive or automated collections;
      • in the course of providing our Services to you or your organisation, including where you register as a customer to use any of our Services or you opt-in to receiving any direct marketing from us;
      • in evaluating job applicants and onboarding Employees;
      • from third parties, where permitted.
    • Direct or active collection
      • We may require that you submit certain information to enable you to access portions of our Website, to make use of our Services, to facilitate the negotiation and conclusion of an agreement with us, or that is necessary for our compliance with our statutory, professional or regulatory obligations.
      • We also collect Personal Information when you communicate directly with us. For example:
  • Via email, meetings and telephone calls;
  • When you fill in forms or registers, or make a purchase order with us;
  • When you voluntarily complete a customer survey, provide feedback or ask for marketing information to be sent to you.If you contact us, we reserve the right to retain a record of that correspondence or telephone call, which may include Personal Information.The Personal Information we collect from you may include any of the categories listed in paragraph 3 above depending on what will be necessary to perform the Services.
  • Passive (automated) collection We may passively collect certain categories of your Personal Information from the devices that you use to access and navigate our Website or to make use of our services (“Access Devices”) using server logs and your browser’s cookies.The categories of Personal Information we passively collect from your Access Device may include your:
  • Technical Information;
  • Usage Information; and/or
  • Any other Personal Information which you expressly permit us, from time to time, to passively collect from your Access Device.
    • Indirect collection (from third parties)
      • We may also receive your personal information indirectly from, among others, the following sources (including public parties):
  • our information technology suppliers;
  • from other Responsible Parties where we act as contracted outsourced processors (“Operators”) in performing our Services, including:
  • Banks and other financial institutions;
  • Software and server suppliers;
  • Telecommunications providers;
  • Medical institutions and insurers, in the case of our employees;
  • law enforcement;
  • Credit bureaus (with your consent, where required by law).
  • When we collect your Personal Information from third parties it is either because you have given us express consent to do so, your consent was implied by your actions, or because you provided consent, either explicit or implicit, to the third party that provided this information to us.
  • HOW WE USE YOUR PERSONAL INFORMATION
    • We Process your Personal Information in the ordinary course of the business of providing our Services.
    • We also use the Personal Information we collect to maintain and improve our Website and to improve the experience of its users, and to facilitate the provision of our Services to you, and to comply with our statutory and regulatory obligations.
    • We use your Personal Information only for the purpose for which it was originally collected by the relevant Responsible Party and strictly in accordance with their instructions. We only use your Personal Information for a secondary purpose only if such a purpose constitutes a legitimate interest and is closely related to the original purpose and instructions for which the Personal Information was collected.
    • We may process your Personal Information during the course of various activities, including but not limited to, the following:
      • providing our Services at your request (or the request of a Responsible Party), including procurement and delivery of software systems to you;
      • processing and collecting payment for our Services rendered;
      • providing customer support and responding to and communicating with you about your requests, questions and comments;
      • transfer of limited and necessary information to our Service Providers and other third parties where required to perform our obligations to you;
      • With your consent (where required by law), for relationship management and marketing purposes in relation to our Services, including, but not limited to, the development and improvement of our Services, marketing activities (promotions and special offerings), and for accounts management to establish, maintain and/or improve our relationship with you;
      • to detect, prevent, manage and protect against actual or alleged fraud, security breaches, misuse, and other prohibited or illegal activity, claims and other liabilities;
      • to protect our rights in any litigation that may involve you;
      • to comply with our regulatory reporting obligations, including submissions to the South African Reserve Bank, Financial Intelligence Centre, South African Revenue Services, Information Regulator and/or other authorities;
      • for other lawful and legitimate purposes that are relevant to our business operations or regulatory functions. 
      • conduct our recruitment and hiring process, which includes, referrals, capturing job applicant’s details and providing status updates to job applicants to protect our legitimate interest in ensuring a safe working environment.
      • operate, evaluate and improve our business units, including:
  • developing new products and services;
  • managing our communications;
  • determining the effectiveness of our sales, marketing and advertising;
  • analysing and enhancing our products, Services, websites and apps;
  • maintaining the safety, security and integrity of our Website, products and Services, databases, networks and other technology assets, and business;
  • performing accounting, auditing, invoicing, procurement, reconciliation and collection activities; and
  • improving and maintaining the quality of our customer service;
    • for the purpose otherwise described to you when collecting your Personal Information, or as otherwise outlined in POPIA.
    • CO3 will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
  • LEGAL BASIS FOR COLLECTING AND PROCESSING INFORMATION
    • We will only collect and process your Personal Information where:
      • You have provided us with your consent (as permitted by law);
      • To perform in terms of a contract with you;
      • To protect your legitimate interests;
      • To pursue the legitimate interests of CO3 and our customers which includes:
  • providing Services to and managing our relationship with existing customers;
  • fraud and financial crime detection and prevention;
  • information, system, network, and cybersecurity;
  • general corporate operations, due diligence and risk assessment;
  • complying with a legal obligation, and/or enforcing and defending legal claims.
  • COMPULSORY PERSONAL INFORMATION AND CONSEQUENCES OF NOT SHARING WITH US
    • Where CO3 is required to process certain Personal Information by law, or in terms of a contract that we have entered into with you, and you fail to provide such Personal Information when requested to do so, CO3 may be unable to perform in terms of the contract in place or are trying to enter into with you. In such a case, CO3 may be required to terminate the contract and/or relationship with you, upon due notice to you, which termination shall be done in accordance with the terms of that contract and any applicable legislation.
  • DISCLSOURE OF PERSONAL INFORMATION
    • We will not intentionally disclose your Personal Information, whether for commercial gain or otherwise, other than with your permission or in accordance with this Privacy Policy.
    • We may disclose your Personal Information to our contracted Responsible Parties, Service Providers and Associates for legitimate business purposes, in accordance with applicable law and subject to applicable professional and regulatory requirements regarding confidentiality and appropriate data protection measures.
    • In addition, may disclose your Personal Information:
      • where it is necessary for the purposes of, or in connection with, actual or threatened legal proceedings or establishment, exercise or defence of legal rights;
      • With our contracted agents, advisers, consultants, service providers, suppliers, banking partners and other Operators who process Personal Information on our behalf and whose assistance we require to conduct our business operations and that:
  • have agreed to be bound by this Privacy Policy and our Data Protection Policy or by similar terms offering a similar level of protection;
  • where such Personal Information is necessary for the performance of their obligations to or on behalf of CO3 (i.e., records storage, payroll, server hosts); and
  • based on our instructions, are not authorised by us to use or disclose the information except as strictly necessary to perform the services on our behalf as instructed or to comply with legal requirements.With third party Operators to the extent that they require such specific Personal Information in the provision of services for or to us, which include hosting, development and administration, technical support and other support services relating to our Website and/or the operation of CO3’s business divisions. We will only authorise the processing of any Personal Information by a third-party Operator on our behalf by, among others, entering into agreements with those third parties governing our relationship with them and highlighting instructions, confidentiality, security and non-disclosure obligations.If required by law;to enable us to enforce, implement, or apply any other contract between you and us, or any contract where we act as an agent of the principal contracted with you;to mitigate any actual or reasonably perceived risk to us, our customers, employees, contractors, agents, brokers or any other third party;to any relevant third party acquirer(s), in the event that we sell or transfer all or any portion of our business or assets (including, but not limited to, in the event of a reorganization, dissolution or liquidation);With governmental agencies, exchanges and other regulatory or self-regulatory bodies, if required to do so by law or there is a reasonable belief that such is necessary for:
  • compliance with the law or with any legal process;
  • the protection and defence of the rights, property or safety of CO3, our customers, employees, contractors, suppliers, services providers, agents, brokers or any third party;
  • the detection, prevention and management of actual or alleged fraud, security breaches, technical issues, or the misuse or unauthorized use of the Website and any other contravention of this Privacy Policy;
  • the protection of the rights, property or safety of members of the public (if you provide false or deceptive information or make misrepresentations, we may proactively disclose such information to appropriate regulatory bodies).
    • While providing our Services we may obtain, use, and disclose Personal Information about our customer’s customers. In these instances, we process the Personal Information in accordance with this Privacy Policy unless specifically agreed otherwise with our customer.
  1. STORAGE AND TRANSFER OF PERSONAL INFORMATION
    1. We have engaged reputable and trusted organisations as outsourced processors (Operators), and in some cases, as sub-processors to provide data storage and cloud services to securely store your information.  Our servers and cloud storage run in secure premises located in South Africa. Where our customers require the server hosting services located outside of South Africa, these servers are located within countries strictly regulated by the General Data Protection Regulation (GDPR) and maintain a high level of security measures.
    1. We reserve the right to transfer to and/or store your Personal Information on servers in a jurisdiction other than where it was collected, or outside of South Africa in a jurisdiction that may not have comparable data protection legislation; Provided that if the location does not have substantially similar laws to those of South Africa, we will take reasonably practicable steps, including the imposing of suitable contractual terms and undertake a due diligence to ensure that your Personal Information is adequately protected in that jurisdiction.
  2. SECURITY AND INTEGRITY
    1. We take all reasonable technical and organisational measures to secure the integrity of retained information and protect it from misuse, loss, alteration, and destruction through the use of accepted technological standards that prevent unauthorised access to or disclosure of your Personal Information. Unfortunately, despite our best efforts, no data transmission or storage can be guaranteed to be 100% secure. Therefore, we do not make any warranties or guarantees that content shall be entirely 100% secure nor do we accept any liability of whatsoever nature for loss of privacy resulting from any unauthorised disclosure and/or use of your Personal Information, unless such disclosure and/or misuse is because of our gross negligence. However, we are subject to the Protection of Personal Information Act 4 of 2013, which we comply with.
    1. Access to our servers and the servers of the cloud-based database management services is restricted to authorised personnel. These servers and cloud storage implement appropriate security measures.
    1. Personal Information including banking details, names and addresses are encrypted as it is transmitted over the internet using SSL. CO3’s internet servers are also protected by firewalls and access to personal information is limited to minimal authorised personnel of CO3. The security of our Website and IT systems is also tested regularly, and every effort is made to ensure that security is at an optimum level at all times.
    1. When processing payment card details, we comply with the applicable Payment Card Industry Data Security Standard (PCI-DSS standard).
    1. We periodically review our Personal Information collection, storage and processing practices, including physical and digital security measures.
    1. CO3 has established and implemented data breach management procedures to address actual and suspected data breaches and will notify you and the relevant regulatory authorities of breaches where we are legally required to do so and within the period in which such notification is necessary.
  3. RETENTION AND DELETION
    1. We may retain and process some or all of your Personal Information if and for as long as:
      1. we are required or permitted by law, or contract with you, to do so;
      1. it is for lawful purposes that are related to our performance of our obligations and activities; or
      1. you agree to us retaining it for a specified further period.
    1. Unless there is a lawful purpose for us to continue processing or storing your Personal Information, we will destroy your Personal Information in the following circumstances:
      1. the Personal Information is no longer necessary for the purpose for which it was collected or processed; or
      1. you withdraw your consent to the processing of your Personal Information; or
      1. you object to the processing of your Personal Information; and
      1. there are no other lawful grounds for us to continue processing your Personal Information.
    1. We determine the appropriate retention period for Personal Information by considering, among other things, the nature and sensitivity of the Personal Information, the potential risks or harm that may result from its unauthorised use or disclosure, the purposes for which we process it and whether those purposes may be achieved through other means. We will always comply with applicable legal, regulatory, tax, accounting, labour, or other requirements as they apply to the retention of Personal Information.
    1. We will destroy your data using effective methods including, among others, shredding.
  4. MAINTENANCE, CORRECTIONS AND ACCESS
    1. We are required to take all necessary steps to ensure that your Personal Information is accurate, complete, not misleading and up to date.
    1. Anyone about whom we maintain Personal Information may request to inspect and, if appropriate, correct the Personal Information held by us. It is your responsibility to inform us, or the persons responsible for the maintenance of your Personal Information, should your Personal Information be incorrect, incomplete, misleading or out-of-date by notifying us at contact details in paragraph 2.2 above. We may require additional information from the requesting party to assure itself of the legitimate basis for the request and the identity and authority of the requestor. Upon receipt and verification of the corrected Personal Information, we will adjust our data or records accordingly.
    1. A request for correction/deletion of Personal Information or destruction/deletion of a record of Personal Information must be submitted using the prescribed Form 2 which is available in our Promotion of Access to Information Manual and the Information Regulator’s website.
  1. DATA MINIMISATION
    1. We have service level agreements with third parties who send us Personal Information (either in our capacity as a Responsible Party or Operator). These state that only relevant and necessary information is to be provided as it relates to the processing activity we are carrying out.
    1. We have destruction procedures in place where a data subject or third party provides us with Personal Information that is surplus to our requirements.
  2. YOUR DATA PROTECTION RIGHTS
    1. Data protection laws may grant you with, among others, the following rights:
      1. Request access to your Personal Information – enabling you to receive a copy of the Personal Information retained about you;
      1. Request the correction of your Personal Information – to ensure any incomplete or inaccurate Personal Information is corrected;
      1. Request erasure of your Personal Information – where there is no lawful basis for the retention or continued processing of your Personal Information;
      1. Object to the processing of your Personal Information for a legitimate interest (or those of a third party) -under certain conditions where you feel it impacts your fundamental rights and freedoms;
      1. Request restriction of processing of your Personal Information – to restrict or suspend the processing of your Personal Information to limited circumstances;
      1. Withdraw consent given in respect of the processing of your Personal Information at any time – withdrawal of consent will not affect the lawfulness of any processing carried out before your withdrawal notice. But may not affect the continued processing of your Personal Information in instances where your consent is not required.
    1. If an above request/objection is to be made, please use the contact information at paragraph 2.2 above and we will revert within 30 calendar days.
  3. DIRECT MARKETING
    1. CO3 would like to send you information about our product and service offerings we believe may be of interest to you.
    1. If you have agreed to receive direct marketing, you may opt-out at any stage.
    1. You have the right to, at any time, to stop CO3 from contacting you for direct marketing purposes.
    1. If you no longer wish to be contacted for direct marketing purposes, please email popia@co3.co.za .
    1. Once you have chosen to opt-out, we may send you written confirmation of receipt of your opt-out request (which may be in electronic form), and we will thereafter not send any further direct marketing communication to you. However, you may continue to receive communication from us on matters of a regulatory nature, which are not marketing related.
  4. CHILDREN
    1. Our Website and our Services are not targeted at people under the age of 18. We will not knowingly collect Personal Information in respect of persons in this age group without express permission to do so, unless permitted by law.
    1. We uses external processors (“Operators”) for certain processing activities and to assist in the delivery of Services. We reserve the right to change our Operators at any time without further notice to you, but we will ensure our Operators are bound by this Privacy Policy and our Data Protection Policy or similar terms providing the same or higher level of protection. Such external processing activities include, but are not limited to:
      1. IT systems and infrastructure;
      1. Debt collection services;
      1. Human resources;
      1. Payroll;
      1. Hosting and email infrastructure;
      1. Credit reference agencies;
      1. Direct marketing / mailing services.
    1. We conduct strict due diligence and Know-Your-Customer procedures in respect of our external Operators prior to forming a business relationship. We obtain company documents and references to ensure the Operator is adequate, appropriate and effective for the task we employ them for.
  1. COOKIES
    1. We may place small text files called “cookies” on your device when you visit our Website. Cookies do not contain Personal Information, but they do contain a personal identifier allowing us to associate your Personal Data with a certain device. Cookies serve useful purposes for you, including:
      1. Remembering who you are as a user of our Website to remember any preferences you may have selected on our Website, such as saving your username and password, or settings (“functional cookies”);
      1. allowing our Website to perform its essential functions. Without these cookies, some parts of our Website would stop working (“essential cookies”);
      1. monitoring how our Website is performing, and how you interact with it to understand how to improve our website or Services (“site analytics”).
    1. Your internet browser may accept cookies automatically and you can delete cookies manually. However, no longer accepting cookies or deleting them may prevent you from accessing certain aspects of our Website where cookies are necessary.
    1. Many websites use cookies and more information is available at: www.allaboutcookies.org.
  2. THIRD-PARTY COOKIES
    1. We do not allow third-party cookies on our Website.
  3. PRIVACY POLICIES OF OTHER WEBSITES
    1. Our Website may contain links to other websites, apps, tools, widgets and plug-ins that are run by third parties. If you visit a third-party website or social media site, you should read that website/ social media’s privacy notice, terms and conditions, and their other policies. We are not responsible for the policies and practices of third parties and social media sites. Any personal information you give to those organizations is dealt with under their privacy notice, terms and conditions, and other policies.
    1. If YOU disclose your personal information directly to any third party other than CO3, CO3 SHALL NOT BE LIABLE FOR ANY LOSS OR DAMAGE, HOWSOEVER ARISING, SUFFERED BY YOU AS A RESULT OF YOUR DISCLOSURE OF YOUR PERSONAL INFORMATION TO SUCH THIRD PARTIES.
  4. GOVERNING LAW
    1. This Privacy Policy is governed by South African law.
    1. If any provision of this Privacy Policy is determined to be illegal, void or unenforceable due to applicable law or by order of court, it shall be deemed to be deleted and the continuation in full force and effect of the remaining provisions shall not be prejudiced.
  5. CHANGES TO THIS POLICY
    1. We may amend this Privacy Policy from time to time and we will take reasonably practicable steps to inform you when changes are made. Without limiting the manner in which we may inform you, we may notify you by email, “pop-up” notification on our Website, or notification when you access our Website.
  6. QUERIES, COMPLAINTS, AND INFORMATION REGULATOR
    1. If you have any questions or complaints about your privacy rights or this Privacy Policy, please address your concerns to our Information Officer at popia@co3.co.za. If you feel our attempts at resolving the matter have been inadequate, you may lodge a complaint with the South African Information Regulator through their website, https://www.justice.gov.za/inforeg/.
    1. If you are located outside of South Africa, you may contact the appropriate regulatory authority in your country of domicile.

ANNEXURE – DEFINITIONS

Associates” means CO3 Technologies (Pty) Ltd subsidiaries and the directors, employees and consultants of CO3 Technologies (Pty) Ltd or any of its subsidiaries;

Operator” means any person or entity that Processes Personal Information on behalf of a Responsible Party.

Personal Information” means information or data relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to information relating to –

  • race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  • education or the medical, financial, criminal or employment history of the person;
  • any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
  • the biometric information of the person;

Responsible Party” means the entity that decides how and why Personal Information is Processed. Responsible Parties may instruct Operators to processes Personal Information on their behalf.

Service Provider” means third party providers of various services with whom CO3 Technologies (Pty) Ltd engages, including, but not limited to, software licensors, developers and suppliers of software,  and related products, providers of information technology, communication, file storage, data storage, copying, printing, distribution/logistics, accounting or auditing services, counsel, investigators, attorneys, and employee provident/pension fund administrators, and our insurers and professional advisors;

Special Personal Information” means Personal Information about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that may be deemed to be sensitive under applicable law.