LEKKA CARD PRIVACY POLICY

Last Updated: February 4, 2026

Effective Date: February 4, 2026

1. INTRODUCTION

Welcome to Lekka Card ("Lekka," "we," "us," or "our"). We are committed to protecting your personal information and your right to privacy in accordance with the Protection of Personal Information Act, 2013 (POPIA).

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our loyalty rewards platform, including our website (lekkacard.co.za), mobile application, and related services (collectively, the "Services").

Please read this Privacy Policy carefully. By using our Services, you agree to the collection and use of information in accordance with this policy.

Our Contact Details

• Trading Name: Lekka Card
• Information Officer: Mr Benjamin Daines
• Email: hello@lekkacard.co.za
• Address: Camelot Street, Fairhaven, Somerset West, Cape Town, 7130

2. IMPORTANT NOTICE ABOUT VENDOR DATA SHARING

2.1 How the Lekka Platform Works

Lekka operates as a platform that connects customers with independent businesses (referred to as "Vendors" or "Merchants"). When you sign up for a specific vendor's loyalty program through Lekka:

• You are entering into a direct relationship with that vendor
• Your personal information is shared with that vendor
• The vendor becomes an independent controller of your data for their loyalty program
• The vendor is responsible for how they use, store, and protect your data

2.2 Lekka's Role vs. Vendor's Role

Lekka's Role:

• We facilitate the connection between you and vendors
• We provide the technology platform for loyalty programs
• We process transactions and stamp/reward redemptions
• We are a data processor for certain functions

Vendor's Role:

• Each vendor is an independent business
• Vendors control their own loyalty programs
• Vendors are responsible for their use of your data
• Vendors must comply with POPIA independently

2.3 Limitation of Lekka's Liability

IMPORTANT: Lekka is not responsible for how vendors use, store, or protect your personal information once it is shared with them.

Each vendor:

• Operates independently
• Has their own privacy practices
• Is solely responsible for their compliance with POPIA
• May use your information in ways outside of Lekka's control

We strongly recommend that you review each vendor's privacy policy before joining their loyalty program.

2.4 Your Consent to Data Sharing

By signing up for a vendor's loyalty program through Lekka, you explicitly consent to:

• Sharing your personal information with that specific vendor
• The vendor using your information to operate their loyalty program
• The vendor contacting you about their offers, rewards, and promotions
• The vendor storing your information according to their own policies

You can withdraw this consent at any time by unsubscribing from the vendor's program through the Lekka app.

3. INFORMATION WE COLLECT

3.1 Information You Provide Directly

Customer Account Information:

• Full name
• Email address
• Mobile phone number
• Date of birth (optional)
• Password (encrypted)
• Profile photo (optional)

Vendor Account Information:

• Business name and trading name
• Business registration number
• VAT number (if applicable)
• Physical business address
• Contact person details
• Bank account details (for payment processing)
• Business logo and branding materials

Transaction Information:

• Loyalty program enrollment
• Stamps earned and redeemed
• Rewards claimed
• Visit history
• Purchase patterns (aggregate data)

3.2 Information Collected Automatically

Device Information:

• IP address
• Device type and model
• Operating system
• Browser type
• Unique device identifiers

Usage Information & Microsoft Clarity:

• Pages visited
• Features used
• Time spent on platform
• Click patterns and search queries
• Behavioral metrics, heatmaps, and session replays

Location Information:

• GPS location (with your permission)
• Location inferred from IP address
• Location you provide when searching for businesses

3.3 Information from Third Parties

We may receive information from:

• Social media platforms (if you connect your account)
• Payment processors
• Identity verification services
• Marketing partners
• Analytics providers (including Microsoft Clarity)

4. HOW WE USE YOUR INFORMATION

4.1 Lawful Basis for Processing (POPIA Compliance)

We process your personal information based on the following lawful grounds:

• Consent: When you sign up for vendor programs or opt in to communications
• Contract Performance: To provide our Services and fulfill our agreement with you
• Legitimate Interest: To improve our Services, prevent fraud, and ensure security
• Legal Obligation: To comply with South African laws and regulations

4.2 Specific Uses

We use your information to:

Provide Services:

• Create and manage your account
• Connect you with vendor loyalty programs
• Process stamps and rewards
• Enable reward redemptions
• Facilitate communication with vendors

Communication:

• Send service-related notifications
• Share updates about your rewards
• Notify you of special offers (with your consent)
• Respond to your inquiries
• Send administrative information

Improvement & Analytics (Microsoft Clarity):

We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

• Analyze usage patterns and behavior
• Improve platform functionality and user experience
• Develop new features
• Conduct research and analytics
• Personalize your experience

Security & Fraud Prevention:

• Detect and prevent fraud
• Ensure platform security
• Verify identity
• Protect against unauthorized access

Legal Compliance:

• Comply with POPIA and other laws
• Respond to legal requests
• Enforce our terms and conditions
• Protect our rights and property

5. HOW WE SHARE YOUR INFORMATION

5.1 Sharing with Vendors (Primary Data Sharing)

CRITICAL DISCLOSURE: When you join a vendor's loyalty program:

Information Shared with Vendors:

• Your name
• Email address
• Phone number (if required by the vendor)
• Visit history with that specific vendor
• Stamps and rewards earned with that vendor
• Any preferences you set for that vendor's program

What Vendors Can Do:

• Send you marketing communications
• Track your visit patterns
• Offer personalized rewards
• Store your information in their own systems
• Use your data according to their own privacy policy

What We Require from Vendors:

• Vendors must agree to comply with POPIA
• Vendors must maintain reasonable security measures
• Vendors must only use data for loyalty program purposes
• Vendors must respect your privacy rights

Vendor Independence:

Vendors are independent third parties. Lekka:

• Does not control vendor privacy practices
• Cannot guarantee vendor compliance with POPIA
• Is not liable for vendor misuse of your data
• Cannot force vendors to delete your data (you must contact them directly)

5.2 Other Data Sharing

Service Providers & Partners:

We share information with trusted third-party service providers who assist us:

• Cloud hosting providers
• Payment processors
• Email and SMS service providers
• Analytics and advertising partners (including Microsoft Clarity and Microsoft Advertising)
• Customer support platforms

Legal Requirements:

We may disclose information when required by law:

• Court orders or subpoenas
• Government investigations
• Legal proceedings
• Protection of rights and safety

Business Transfers:

In the event of a merger, acquisition, or sale:

• Your information may be transferred
• You will be notified of any such change
• The new entity must honor this Privacy Policy

Aggregated Data:

We may share anonymized, aggregated data:

• For research purposes
• For marketing and business development
• With partners and investors
• This data cannot identify you personally

5.3 Information We Do NOT Share

We do not:

• Sell your personal information to third parties
• Share your data with vendors you haven't joined
• Share your payment information (handled by secure payment processors)
• Share your data for purposes unrelated to the Services

6. YOUR RIGHTS UNDER POPIA

As a South African data subject, you have the following rights:

6.1 Right to Access

You have the right to request:

• Confirmation of what personal information we hold
• Access to your personal information
• Details about how we use your information

How to Exercise: Contact hello@lekkacard.co.za

6.2 Right to Correction

You have the right to:

• Correct inaccurate information
• Update incomplete information
• Amend your profile details

How to Exercise: Update your profile in the app or contact hello@lekkacard.co.za

6.3 Right to Deletion

You have the right to request deletion of your information when:

• It's no longer necessary for the purpose collected
• You withdraw consent
• You object to processing
• It was processed unlawfully

Important Limitations:

• We may retain information required by law
• Vendors may retain information independently
• Deletion may prevent use of Services

How to Exercise: Contact hello@lekkacard.co.za or delete your account in the app

6.4 Right to Object

You have the right to object to:

• Processing based on legitimate interests
• Direct marketing
• Automated decision-making

How to Exercise: Use unsubscribe links in emails or contact hello@lekkacard.co.za

6.5 Right to Restrict Processing

You have the right to request restriction when:

• You contest the accuracy of data
• Processing is unlawful
• We no longer need the data but you need it for legal claims

How to Exercise: Contact hello@lekkacard.co.za

6.6 Right to Data Portability

You have the right to:

• Receive your data in a structured, commonly used format
• Transmit your data to another controller

How to Exercise: Contact hello@lekkacard.co.za

6.7 Right to Complain

You have the right to lodge a complaint with:

• Information Regulator (South Africa)
• Website: https://www.justice.gov.za/inforeg/
• Email: inforeg@justice.gov.za
• Phone: 012 406 4818
• Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

6.8 Exercising Your Rights Regarding Vendor Data

Important: For information held by vendors:

• You must contact the vendor directly
• Each vendor has their own process for data requests
• Lekka can facilitate contact but cannot force compliance
• Vendors are independent data controllers

We will provide vendor contact information upon request.

7. DATA SECURITY

7.1 Our Security Measures

We implement industry-standard security measures:

Technical Safeguards:

• Encryption of data in transit (SSL/TLS)
• Encryption of sensitive data at rest
• Secure authentication mechanisms
• Regular security audits
• Firewall protection
• Intrusion detection systems (including Microsoft Clarity for fraud/security)

Organizational Safeguards:

• Access controls and authorization
• Employee training on data protection
• Confidentiality agreements
• Regular security reviews
• Incident response procedures

Physical Safeguards:

• Secure data centers
• Access controls to facilities
• Environmental controls

7.2 Your Responsibilities

You are responsible for:

• Maintaining password confidentiality
• Not sharing account credentials
• Using secure internet connections
• Reporting suspicious activity
• Keeping your device secure

7.3 No Guarantee

While we implement strong security measures:

• No system is completely secure
• We cannot guarantee absolute security
• Internet transmission has inherent risks
• You use the Services at your own risk

7.4 Vendor Security

IMPORTANT: Vendors are responsible for their own security measures. We:

• Require vendors to maintain reasonable security
• Cannot guarantee vendor security practices
• Are not liable for vendor security breaches
• Recommend reviewing vendor security policies

8. DATA RETENTION

8.1 How Long We Keep Your Data

Active Accounts:

• We retain your information while your account is active
• We retain information necessary to provide Services
• We retain information for legitimate business purposes

Closed Accounts:

• Account data: Deleted within 90 days (unless required by law)
• Transaction records: Retained for 7 years (tax/legal requirements)
• Aggregated analytics: Retained indefinitely (anonymized)

Vendor Program Data:

• Data shared with vendors is subject to their retention policies
• We cannot control vendor retention periods
• You must contact vendors directly regarding their data retention

8.2 Legal Retention Requirements

We may retain information longer when:

• Required by South African law
• Necessary for legal proceedings
• Required for tax purposes
• Needed to protect our legal rights

9. COOKIES AND TRACKING TECHNOLOGIES

9.1 What We Use

Essential Cookies:

• Authentication and security
• Platform functionality
• User preferences

Analytics & Behavioral Tracking (Microsoft Clarity):

• Usage statistics and performance monitoring
• User behavior analysis (heatmaps, session replays)
• Website usage data captured using first and third-party cookies

Marketing & Advertising Cookies:

• Advertising effectiveness
• Retargeting campaigns
• Social media integration

9.2 Your Choices

You can:

• Disable cookies in your browser settings
• Opt out of analytics tracking
• Manage cookie preferences on our website

Note: Disabling cookies may limit functionality.

9.3 Third-Party Tracking

We use third-party services:

• Google Analytics
• Microsoft Clarity & Microsoft Advertising
• Facebook Pixel

These services have their own privacy policies. For more on Microsoft's data collection, visit their Privacy Statement.

10. INTERNATIONAL DATA TRANSFERS

10.1 Data Storage Location

Your data is primarily stored:

• On servers located in South Africa
• With cloud service providers (e.g., AWS, Google Cloud)
• These providers may store data in multiple regions

10.2 Cross-Border Transfers

If we transfer data outside South Africa:

• We ensure adequate protection measures
• We use standard contractual clauses
• We comply with POPIA Chapter 9 requirements
• We will notify you of such transfers

10.3 Vendor Data Transfers

Vendors may:

• Store data in different locations
• Transfer data internationally
• We are not responsible for vendor transfer practices
• Review vendor policies for transfer information

11. CHILDREN'S PRIVACY

11.1 Age Restrictions

Our Services are not intended for children under 18.

We do not knowingly:

• Collect information from children under 18
• Market to children
• Allow children to create accounts

11.2 Parental Notice

If we discover we've collected information from a child:

• We will delete it immediately
• We will notify the parent/guardian if possible
• We will terminate the account

11.3 If You're a Parent

If you believe your child has provided information:

• Contact us immediately at hello@lekkacard.co.za
• We will investigate and take appropriate action
• We will delete the information promptly

12. MARKETING COMMUNICATIONS

12.1 Communications You May Receive

From Lekka:

• Platform updates and new features
• Tips for using the service
• Special promotions (with consent)

From Vendors:

• Loyalty program updates
• Reward notifications
• Special offers and promotions
• Marketing communications

12.2 Your Opt-Out Rights

You can opt out of:

• Lekka marketing emails (use unsubscribe link)
• Vendor marketing (contact vendor or unsubscribe)
• Push notifications (device settings)
• SMS messages (reply STOP)

Service Communications:

Some communications are essential and cannot be opted out:

• Account security alerts
• Transaction confirmations
• Important service updates
• Legal notices

12.3 Vendor Communications

Important: When you join a vendor program:

• You consent to vendor communications
• Vendors control their own email frequency
• You must opt out with each vendor separately
• Lekka cannot unsubscribe you from vendor lists

13. THIRD-PARTY LINKS AND SERVICES

13.1 External Links

Our Services may contain links to:

• Vendor websites
• Social media platforms
• Partner services
• Third-party resources

We are not responsible for:

• Third-party privacy practices
• Third-party security measures
• Content on external sites
• Third-party terms and conditions

13.2 Third-Party Services

We integrate with:

• Payment processors
• Social media platforms
• Analytics and advertising services (Google, Microsoft)
• Marketing platforms

Each has their own privacy policy.

13.3 Your Responsibility

You should:

• Review third-party privacy policies
• Understand how third parties use your data
• Make informed decisions about sharing data
• Contact third parties directly with concerns

14. CHANGES TO THIS PRIVACY POLICY

14.1 Updates

We may update this Privacy Policy:

• To reflect changes in our practices
• To comply with legal requirements
• To add new features or services
• To improve clarity and transparency

14.2 Notification of Changes

Material Changes:

• We will notify you via email
• We will display a prominent notice on the platform
• We will require you to accept the new policy

Non-Material Changes:

• We will update the "Last Updated" date
• Changes take effect immediately upon posting
• Continued use constitutes acceptance

14.3 Review Regularly

We encourage you to:

• Review this policy periodically
• Stay informed about our practices
• Contact us with questions

15. SPECIFIC SCENARIOS

15.1 When You Join a Vendor Program

What Happens:

1. You browse vendors in the Lekka app
2. You select "Join Program" for a specific vendor
3. You see a disclosure of what data will be shared
4. You accept the vendor's terms
5. Your information is shared with that specific vendor
6. The vendor can now contact you and track your visits

Your Rights:

• You can leave a vendor program anytime
• Leaving stops future data sharing with that vendor
• The vendor may retain historical data
• You must contact the vendor to request deletion

15.2 When You Earn a Stamp

What Happens:

1. You visit a vendor and make a qualifying purchase
2. The vendor scans your Lekka Card or enters your ID
3. A stamp is added to your account
4. Both you and the vendor see the updated progress
5. The transaction is recorded in both systems

Data Shared:

• Date and time of visit
• Location of visit
• Stamp awarded
• Progress toward reward

15.3 When You Redeem a Reward

What Happens:

1. You reach the required number of stamps
2. A reward becomes available in your app
3. You visit the vendor to redeem
4. You show your reward in the app
5. The vendor marks it as redeemed
6. The reward is removed from your account

Data Shared:

• Reward redemption date and time
• Reward type
• Location of redemption

15.4 When You Delete Your Account

What Happens:

1. You request account deletion in the app
2. Your Lekka account is deactivated immediately
3. Your data is deleted within 90 days
4. Transaction records are retained for legal compliance
5. Vendors retain data according to their policies

Important:

• You will lose all unredeemed rewards
• You must contact vendors separately to delete their data
• We cannot force vendors to delete your information
• Some data is retained for legal compliance

16. VENDOR RESPONSIBILITIES AND COMPLIANCE

16.1 Vendor Obligations

All vendors on the Lekka platform must agree to:

POPIA Compliance:

• Comply with all POPIA requirements
• Maintain their own lawful basis for processing
• Implement appropriate security measures
• Appoint an Information Officer (if required)

Data Usage:

• Use customer data only for loyalty program purposes
• Obtain proper consent for marketing
• Honor customer privacy rights
• Maintain accurate records

Security:

• Protect customer information
• Report data breaches
• Implement access controls
• Train staff on data protection

16.2 What We Require from Vendors

Contractual Obligations:

• Vendors sign our Vendor Agreement
• Agreement includes data protection clauses
• Vendors confirm POPIA compliance
• Vendors accept liability for their data practices

Prohibited Conduct:

• Selling customer data
• Sharing data with unauthorized parties
• Using data for purposes unrelated to loyalty
• Violating customer privacy rights

16.3 Vendor Non-Compliance

If a Vendor Violates Terms:

• We may suspend their program
• We may terminate their account
• We may report violations to authorities
• We may notify affected customers

Customer Remedies:

• Report vendor violations to hello@lekkacard.co.za
• We will investigate reported violations
• We may take action against non-compliant vendors
• You may also report directly to the Information Regulator

16.4 Lekka's Limitations

We Cannot:

• Audit every vendor's practices
• Guarantee vendor compliance
• Access vendor's internal systems
• Force vendors to delete data
• Be held liable for vendor actions

We Will:

• Remove non-compliant vendors when discovered
• Cooperate with regulatory investigations
• Provide vendor contact information on request
• Support customers in exercising their rights

17. SPECIFIC POPIA COMPLIANCE STATEMENTS

17.1 Accountability

Responsible Party: Lekka Card

Information Officer: Mr Benjamin Daines — hello@lekkacard.co.za

We take responsibility for:

• Personal information in our possession
• Compliance with POPIA conditions
• Security measures we implement
• Our own processing activities

We do not take responsibility for:

• Vendor processing activities
• Vendor security breaches
• Vendor non-compliance with POPIA
• Third-party service provider practices (beyond contractual requirements)

17.2 Processing Limitation

We process information only:

• For specified, lawful purposes
• With your knowledge and consent
• In a manner adequate, relevant, and not excessive
• As disclosed in this Privacy Policy

17.3 Purpose Specification

We collect and use information for:

• Providing loyalty platform services
• Facilitating vendor-customer relationships
• Improving our Services
• Complying with legal obligations
• As specifically disclosed at collection

17.4 Further Processing Limitation

We will not process information:

• Incompatible with original purpose
• Without obtaining new consent
• Beyond what you reasonably expect
• In violation of POPIA principles

17.5 Information Quality

We ensure information is:

• Complete and not misleading
• Accurate and up-to-date
• Corrected upon request
• Verified where necessary

17.6 Openness

We are transparent about:

• What information we collect
• How we use information
• Who we share information with
• Your rights under POPIA

17.7 Security Safeguards

We implement measures to:

• Prevent loss or damage
• Prevent unauthorized access
• Prevent unlawful processing
• Secure information integrity

17.8 Data Subject Participation

We enable you to:

• Access your information
• Request corrections
• Object to processing
• Request deletion
• Exercise all POPIA rights

18. CONTACT US

18.1 Privacy Questions

For privacy-related questions:

• Email: hello@lekkacard.co.za
• Subject Line: "Privacy Inquiry"
• Response Time: Within 5 business days

18.2 Data Subject Requests

To exercise your POPIA rights:

• Email: hello@lekkacard.co.za
• Subject Line: "POPIA Request - [Type of Request]"
• Include: Your name, contact details, and specific request
• Response Time: Within 30 days (may be extended if complex)

18.3 General Support

For general support:

• Email: hello@lekkacard.co.za
• Hours: Monday–Friday, 9am–5pm SAST
• Address: Camelot Street, Fairhaven, Somerset West, Cape Town, 7130

18.4 Information Regulator

To lodge a complaint:

• Organisation: Information Regulator (South Africa)
• Website: https://www.justice.gov.za/inforeg/
• Email: inforeg@justice.gov.za
• Phone: 012 406 4818
• Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

19. DEFINITIONS

• "Customer" - An individual who creates an account to use Lekka Services
• "Vendor" or "Merchant" - A business that offers a loyalty program through Lekka
• "Personal Information" - Information as defined in POPIA Section 1
• "Processing" - Any operation performed on personal information as defined in POPIA
• "Services" - Lekka's platform, including website, mobile app, and related services
• "POPIA" - Protection of Personal Information Act, 2013 (Act No. 4 of 2013)
• "Information Officer" - The person designated to ensure POPIA compliance
• "Data Subject" - The person to whom personal information relates (you)
• "Responsible Party" - Lekka Card
• "Operator" - Any person who processes personal information on behalf of Lekka

20. ACKNOWLEDGMENT AND ACCEPTANCE

By using Lekka Services, you acknowledge that:

1. You have read and understood this Privacy Policy
2. You consent to the collection and use of your information as described
3. You understand that vendor programs involve data sharing with vendors
4. You understand vendors are independent data controllers
5. You understand Lekka's limitations regarding vendor data practices
6. You agree to the terms outlined in this Privacy Policy

If you do not agree to this Privacy Policy, please do not use our Services.

Document Version: 1.1
Last Updated: February 12, 2026
Effective Date: February 12, 2026
Next Review Date: February 12, 2027