Privacy Notice

1. Introduction

Cosslett & Associates Inc. ("we", "us", "our") is committed to protecting your personal information and respecting your privacy rights in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA"), the Promotion of Access to Information Act 2 of 2000 ("PAIA"), and other applicable South African laws.

This Privacy Notice explains how we collect, use, store, share, and protect your personal information when you use our website, engage our accounting, tax, and advisory services, or otherwise interact with us.

By accessing our website or using our services, you acknowledge that you have read and understood this Privacy Notice.

2. Definitions

In this Privacy Notice, unless the context indicates otherwise:

• "Personal Information" means information relating to an identifiable, living, natural person, and where applicable, an identifiable existing juristic person, as defined in section 1 of POPIA.
• "Processing" means any operation or activity concerning personal information, including collection, receipt, recording, organisation, collation, storage, updating, retrieval, consultation, use, dissemination, merging, linking, restriction, degradation, erasure, or destruction.
• "Responsible Party" means the entity that determines the purpose and means for processing personal information. For the purposes of this Notice, Cosslett & Associates Inc. is the Responsible Party.
• "Data Subject" means the person to whom personal information relates.
• "Information Officer" means the person designated in terms of section 55 of POPIA and section 1 of PAIA.

3. Information We Collect

We may collect and process the following categories of personal information:

3.1 Information You Provide Directly

• Full name, identity number, and date of birth
• Contact details (physical address, email address, telephone numbers)
• Company registration number, VAT number, and tax reference numbers
• Banking details and financial information
• Employment and income information
• Information provided via our contact forms or during consultations

3.2 Information Collected Automatically

• IP address, browser type, and device information
• Pages visited, time spent on site, and referring website
• Cookies and similar tracking technologies (see Section 10 below)

3.3 Information from Third Parties

• Information from SARS, CIPC, and other regulatory bodies
• Information from credit bureaus and verification agencies
• Information from your employer, business partners, or service providers

4. Purpose of Processing

We process your personal information for the following lawful purposes:

• Service Delivery: To provide accounting, tax, payroll, bookkeeping, and business advisory services
• Tax Compliance: To prepare and submit tax returns, VAT returns, PAYE submissions, and other statutory returns to SARS
• Regulatory Compliance: To comply with our obligations under the Companies Act 71 of 2008, Tax Administration Act 28 of 2011, Financial Intelligence Centre Act 38 of 2001 (FICA), and other applicable legislation
• Communication: To respond to enquiries, provide updates, and send service-related notifications
• Quality Assurance: To maintain and improve the quality of our services
• Legal Obligations: To comply with court orders, legal processes, and regulatory requirements
• Fraud Prevention: To detect, prevent, and investigate fraud, money laundering, and other unlawful activities
• Marketing: To send you information about our services, where you have consented or where permitted by law

5. Legal Basis for Processing

In terms of section 11 of POPIA, we process personal information based on one or more of the following lawful grounds:

• Consent: Where you have given explicit consent for specific processing activities
• Contractual Necessity: Where processing is necessary for the performance of a contract to which you are a party
• Legal Obligation: Where processing is necessary to comply with a legal obligation to which we are subject
• Legitimate Interest: Where processing is necessary for our legitimate interests, provided such interests do not override your fundamental rights and freedoms
• Protection of Vital Interests: Where processing is necessary to protect your vital interests or those of another person

6. Sharing of Personal Information

We may share your personal information with the following categories of recipients:

• SARS and Regulatory Bodies: For tax compliance, registration, and regulatory purposes
• CIPC: For company secretarial and compliance filings
• Service Providers: Cloud storage providers, IT support, and professional service providers who assist us in delivering our services
• Financial Institutions: Banks and payment processors for transaction processing
• Legal and Professional Advisors: Attorneys, auditors, and other professionals where necessary
• Law Enforcement: Where required by law or to protect our legal rights

We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes.

7. Transborder Data Flows

We primarily store and process personal information within the Republic of South Africa. However, certain personal information may be transferred to or stored in cloud services located outside South Africa (including but not limited to the United States, European Union, and United Kingdom) for purposes of:

• Cloud accounting platform hosting (e.g., Xero, QuickBooks Online)
• Secure data backup and disaster recovery
• Email and communication services

Any such transfers are conducted in compliance with section 72 of POPIA and only to jurisdictions that provide an adequate level of protection for personal information, or where appropriate contractual safeguards are in place.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction, including:

• Bank-level encryption (AES-256) for data at rest and in transit
• Multi-factor authentication for all systems
• Regular security audits and vulnerability assessments
• Access controls and role-based permissions
• Secure cloud infrastructure with ISO 27001 certification
• Staff training on data protection and POPIA compliance
• Incident response and breach notification procedures

9. Data Retention

We retain your personal information for as long as necessary to fulfil the purposes for which it was collected, including:

• For the duration of our engagement with you
• For the period required by applicable tax and accounting legislation (generally 5 years from the date of the last entry in terms of the Tax Administration Act)
• For the period required to comply with professional indemnity and other insurance requirements
• For the period necessary to resolve disputes and enforce our agreements

Upon expiry of the retention period, your personal information will be securely destroyed or de-identified in accordance with our data retention policy.

10. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyse site traffic, and understand user behaviour. The types of cookies we use include:

• Essential Cookies: Necessary for the website to function properly
• Analytical Cookies: Help us understand how visitors interact with our website (e.g., Google Analytics)
• Marketing Cookies: Used to deliver relevant advertisements and track campaign performance (e.g., Google Ads)

You can manage your cookie preferences through your browser settings. By continuing to use our website, you consent to our use of cookies as described herein.

11. Your Rights as a Data Subject

In terms of POPIA, you have the following rights regarding your personal information:

• Right to Access: Request confirmation of whether we hold personal information about you and request access to such information
• Right to Rectification: Request correction of inaccurate, misleading, or incomplete personal information
• Right to Erasure: Request deletion of your personal information where processing is no longer lawful
• Right to Restriction: Request restriction of processing in certain circumstances
• Right to Object: Object to the processing of your personal information for direct marketing purposes or on grounds relating to your particular situation
• Right to Data Portability: Request transfer of your personal information to another responsible party in a structured, machine-readable format
• Right to Lodge a Complaint: Lodge a complaint with the Information Regulator if you believe your rights have been infringed

To exercise any of these rights, please contact our Information Officer using the details provided in Section 14 below. We will respond to your request within a reasonable time and in accordance with POPIA.

12. Information Officer and Deputy Information Officer

In terms of section 55 of POPIA and section 1 of PAIA, the following persons have been designated:

• Information Officer: Managing Director, Cosslett & Associates Inc.
• Deputy Information Officer: To be designated as required

13. Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, legal requirements, or operational needs. Any material changes will be communicated to you via email or posted on our website. We encourage you to review this Notice periodically.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Notice or our data protection practices, please contact us:

• Email: info@cainc.africa
• Phone: +27 69 042 4733
• Postal Address: Cosslett & Associates Inc., Remote — South Africa Nationwide

You may also lodge a complaint with the Information Regulator:

• Website: www.inforegulator.org.za
• Email: inforeg@justice.gov.za