Privacy Policy

Document Control

Introduction

Herbst Group (Pty) Ltd and its associated entities ("Herbst Group of Companies", "we", "us", or "our") are committed to protecting your personal information. This Privacy Policy explains how we collect, use, store, and protect your information in compliance with the Protection of Personal Information Act 4 of 2013 (POPIA).

This policy applies to all interactions with herbstgroup.io and covers all five entities operating under our shared governance framework:

• Herbst Group (Pty) Ltd - Registration No. 2017/352945/07
• Herbst Alliance (Pty) Ltd - Registration No. 2024/568485/07
• Herbst Team (Pty) Ltd - Registration No. 2024/711522/07
• Herbst Intelligence - AI and automation division
• Herbst Commercial - Consumer products division

All entities share a unified compliance framework, meaning your rights are protected consistently regardless of which entity you engage with.

Our Commitment

We process your personal information fairly and responsibly. We collect only what we need, use it only for stated purposes, keep it secure, and respect your rights over your own data.

Information Officer Designation

By board resolution dated 11 November 2025, the Company has designated and registered the following officers in accordance with section 55 of POPIA read with section 1 of the Promotion of Access to Information Act 2 of 2000 (PAIA):

The Information Officer and Deputy Information Officer have been registered with the Information Regulator as required by section 55(2) of POPIA. Registration No. 2026-001668, issued 8 February 2026.

What Personal Information We Collect

Information You Provide Directly

Contact Form Submissions

• Full name
• Email address
• Company name (optional)
• Your message or enquiry

Newsletter Subscriptions

• Full name
• Email address

Consultation Requests

• Full name
• Email address
• Company name
• Phone number
• Details of your requirements

Information Collected Automatically

Analytics Data (Aggregated and Anonymous)

We use Plausible Analytics, a privacy-focused analytics service that does not use cookies or collect personally identifiable information. We collect only aggregated, anonymous data including:

• Page views and unique visitors (aggregated counts only)
• Referral sources (which website or search engine referred you)
• Device type and browser (general categories only)
• Geographic region (country level only, derived from anonymised IP)
• Pages visited and time spent (aggregated trends)

This data cannot be used to identify you personally. Plausible does not store your IP address, does not use cookies, and does not track you across websites.

Technical Data Processed by Our Infrastructure

When you visit our website, our hosting and security infrastructure necessarily processes certain technical data to deliver our services:

• IP address (processed by Vercel for security and routing; not stored by us)
• Browser user agent (for page rendering)
• Request timestamps (for security monitoring)

This technical data is processed in transit and is not stored in a manner that identifies you personally.

How We Use Your Information

We do not sell, rent, or trade your personal information to third parties.

Consent

Where we rely on consent as the legal basis for processing, you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing conducted before withdrawal.

Newsletter subscriptions use double opt-in confirmation:

1. You submit your email address
2. We send a confirmation email via Resend
3. You click the confirmation link
4. Your subscription activates

You can unsubscribe at any time using the link in any newsletter.

How Long We Keep Your Information

After these periods, we securely delete or anonymise your information. If you request deletion earlier, we will process your request within 30 days.

Third-Party Processors

We work with carefully selected service providers who process data on our behalf. We are transparent about every service that interacts with data on our website:

Current Third-Party Processors

Planned and Potential Future Processors

The following services may be integrated in future. We will update this policy when any new processor is implemented:

All processors are contractually required to:

• Process data only on our instructions
• Implement appropriate security measures
• Not share data with other parties without authorisation
• Delete data when the processing relationship ends
• Notify us of any data breaches affecting our data

Cross-Border Transfers

Your data may be stored, transferred, or processed outside the borders of South Africa.

Specifically, the following services process data in locations outside South Africa:

For South African data residency: We have submitted a request to Turso for South African data residency. Microsoft Azure also offers South African data centre regions (Johannesburg and Cape Town). Should a client portal or cloud storage be implemented, we intend to utilise South African data centres where available to ensure POPIA-compliant data residency for personal information requiring local storage. This policy will be updated when these capabilities are confirmed and implemented.

Where we transfer personal information to other countries, we ensure appropriate safeguards are in place:

• Adequacy decisions (EU countries)
• Standard Contractual Clauses where applicable
• Vendor security certifications (SOC 2, ISO 27001, GDPR compliance)
• Your explicit consent where required

Security Measures

We implement appropriate technical and organisational measures to protect your personal information:

Technical Measures

• HTTPS encryption on all pages (TLS 1.3)
• Comprehensive security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options)
• Cookieless analytics (no client-side tracking)
• Environment variable protection for all API keys (encrypted storage)
• DDoS protection via hosting provider
• Quarterly API key rotation

Organisational Measures

• Access limited to authorised personnel with role-based permissions
• Multi-factor authentication required for all administrative access
• Staff training on data protection
• Documented security and incident response procedures
• Regular compliance audits
• Version control with complete audit trail

No method of transmission over the internet is completely secure. While we strive to protect your information using industry-standard practices, we cannot guarantee absolute security.

Your Rights

Under POPIA, you have the following rights:

• Right to Access - Request a copy of the personal information we hold about you.
• Right to Correction - Request correction of inaccurate or incomplete information.
• Right to Deletion - Request deletion of your personal information where there is no compelling reason for continued processing.
• Right to Object - Object to processing of your personal information in certain circumstances.
• Right to Data Portability - Request your data in a structured, machine-readable format.
• Right to Withdraw Consent - Withdraw consent at any time for processing based on consent.

How to Exercise Your Rights

Submit your request to our Information Officer:

We will:

1. Verify your identity
2. Process your request within 30 days
3. Inform you of any actions taken or reasons for refusal

We do not charge a fee for legitimate requests.

Cookies and Tracking

We do not use cookies for tracking purposes.

Our analytics solution (Plausible) is cookieless by design. We do not use:

• Tracking cookies
• Third-party advertising cookies
• Social media tracking pixels
• Fingerprinting technologies
• Cross-site tracking of any kind

Essential technical processes may involve transient data processing for functionality such as form submission handling and font delivery (via Google Fonts). None of these create persistent tracking identifiers on your device.

Children's Information

Our services are directed at businesses and professionals. We do not knowingly collect personal information from children under 18. If we become aware that we have collected information from a child without appropriate consent from a competent person (such as a parent or legal guardian), we will delete that information promptly.

Direct Marketing

We only send marketing communications if you have given explicit consent, typically through a clear opt-in form on our website. We never pre-tick a consent box for you.

You can opt out of marketing communications at any time by:

• Clicking the unsubscribe link in any email we send you
• Adjusting your preferences at the preference centre
• Writing to privacy@herbstgroup.io with "Unsubscribe" in the subject line

Opting out of marketing does not affect communications necessary to respond to your enquiries or provide requested services. The detailed rules that govern our content distribution and marketing communications are set out in the next section.

Content Distribution and Marketing Communications

Where we send you publications, professional briefings, event invitations, or client deliverables, we apply the rules set out in our Content Distribution and Marketing Communications Policy (POL-CONTENT-001 v2.0, effective 3 May 2026, signed by the Information Officer and Deputy Information Officer). The full policy is available on request from the Information Officer; the operative commitments are summarised below.

Opt-in for prospects

If you are not already an active client of ours, we send you marketing communications only on positive opt-in consent under POPIA section 11(1)(a). We use a clear consent form before adding any address to a list. We never pre-tick a consent box for you. We never disguise marketing as something else.

Existing clients

If you are an active client of ours, POPIA section 69(3) lets us send you information about similar services we provide without seeking fresh consent. Every such email carries a one-click unsubscribe link.

One-click unsubscribe

Every marketing email from Herbst Group carries an unsubscribe link in its footer. Clicking that link is the fastest way to stop further communications. We honour the unsubscribe immediately. You can also adjust which streams you receive (rather than withdrawing all of them) at the preference centre.

First-contact rule

South African law allows us to send a person we do not know exactly one message to ask whether they would like to receive our content. If you decline, we record that and do not contact you again. POPIA section 69(2), read with the Information Regulator's Direct Marketing Guidance Note of 3 December 2024.

National opt-out registry

Under the Consumer Protection Act Amendment Regulations, 2026 (effective 15 April 2026), we register with the National Consumer Commission's marketer registry and cleanse our marketing lists monthly against the public opt-out register. If you have placed yourself on the registry, you will not receive a marketing communication from us, regardless of any prior consent.

Sub-processors

A small set of carefully selected service providers (sub-processors) help us deliver these communications, host the consent and preference pages, and keep the data secure. The current authoritative list — what each one does, where it operates, and the legal basis for any cross-border transfer — is published in the Herbst Group Sub-Processor Register. We update the Register and this page within ten business days of any change.

Retention for marketing records

Active marketing consents and the contact details supporting them are retained for 24 months (60 months for client deliverables). After that we invite you to renew or delete the record. Withdrawn consents are kept for three years as evidence of your withdrawal, then deleted. Refused-consent records (do-not-contact list) are retained indefinitely so we do not re-approach you in error.

Identifying our messages

Every electronic marketing communication from Herbst Group identifies us as the sender, gives you a no-cost way to refuse further communications, and on request will tell you the source from which we obtained your contact details (Electronic Communications and Transactions Act 25 of 2002, section 45).

Data Breaches

In the event of a security compromise that may affect your personal information, we will:

1. Notify the Information Regulator as required by POPIA
2. Notify you as soon as reasonably possible
3. Provide details of the breach and steps we are taking
4. Offer guidance on protective measures you can take

Our incident response procedures categorise breaches by severity (P1-P4) with response times ranging from 1 hour for critical incidents to 72 hours for low-severity issues.

Complaints

If you believe we have not handled your personal information properly, you have the right to lodge a complaint with:

We encourage you to contact us first so we can try to resolve your concerns directly.

Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We will update the "Last Updated" date at the top of this page
• For significant changes, we may notify you by email or prominent website notice
• Continued use of our website after changes constitutes acceptance of the updated policy

We recommend reviewing this policy periodically. This policy is reviewed annually by our compliance team.

Contact Us

For any questions about this Privacy Policy or how we handle your personal information:

Shared Governance Statement

This Privacy Policy applies across all Herbst Group of Companies entities. Our shared governance model ensures consistent data protection standards whether you engage with Herbst Group, Herbst Alliance, Herbst Team, Herbst Intelligence, or Herbst Commercial.

The responsible party for POPIA purposes is Herbst Group (Pty) Ltd, which maintains centralised compliance oversight for the group.

Legal Authority

This Privacy Policy was adopted pursuant to a resolution of the Board of Directors of Herbst Group (Pty) Ltd dated 11 November 2025, whereby the Board resolved to:

• Commence the process towards obtaining POPIA compliance
• Designate Willem Dieter Herbst as Information Officer
• Appoint Gesina Wilhelmina Symms as Deputy Information Officer
• Register the Information Officer and Deputy Information Officer with the Information Regulator

The resolution was signed by Willem Dieter Herbst in his capacity as director of the Company and Chair of the Board.

Subsequent designation: The Deputy Information Officer designation was superseded by Board Resolution HG-BOARD-RES-2026-02 (signed 21 April 2026, EVID-742), appointing Tiaan Keyser, Chief Analytics Officer, as Deputy Information Officer in place of Gesina Wilhelmina Symms. The Information Officer designation (Willem Dieter Herbst) is unchanged. The Information Regulator was notified of the change per POPIA s.55(2).

Version History