Privacy Policy.

This Privacy Policy explains how Leera Digital Technologies (PTY) LTD (“Leera”, “we”, “our”, or “us”) collects, uses, stores, protects, transfers, and otherwise processes personal information and related business data through its collections intelligence, AI-assisted collections communication, analytics, workflow automation, integration and financial services technology solutions (the “Platform”), our websites, and associated business operations.

This Policy is intended to support compliance with applicable privacy and data protection laws, including the Protection of Personal Information Act, 2013 (“POPIA”) of South Africa and, where applicable, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), together with other laws that apply to our Clients, services, or operations.

This Policy applies to:

• Clients using the Platform;
• Customers, account holders, debtors, policyholders, and other end-users whose information is processed through the Platform on behalf of Clients;
• Website visitors;
• Prospective clients, suppliers, and business contacts; and
• Any other individual whose personal information we process in the course of our business.

Leera is committed to lawful, fair, and transparent processing, appropriate security safeguards, accountability, and respect for the rights of data subjects.

Leera’s role depends on the processing activity concerned.

2.1 When Leera acts for Clients

Where Leera processes personal information on behalf of a Client in order to provide the Platform or related services, the Client generally acts as the party deciding the purpose and means of processing. In those cases, the Client is typically the Responsible Party under POPIA and the Controller under GDPR, while Leera acts as an Operator under POPIA and a Processor under GDPR, processing information only on documented instructions and in terms of applicable contracts and law.

2.2 When Leera acts for its own business purposes

Where Leera processes personal information for its own business purposes, such as managing client accounts, supplier relationships, website operations, security, recruitment, legal compliance, product administration, and direct business communications, Leera generally acts as the Responsible Party under POPIA and the Controller under GDPR.

2.3 Client responsibility

Clients remain responsible for ensuring that they have an appropriate legal basis and any required notices, authorizations, consents, or other permissions to disclose and instruct the processing of customer data through the Platform.

• Personal Information means information relating to an identifiable, living natural person and, where applicable under POPIA, an identifiable existing juristic person.
• Personal Data has the meaning given under GDPR and is used in this Policy interchangeably with personal information where appropriate.
• Client Data means information submitted to, stored in, or processed through the Platform by or on behalf of a Client.
• Data Subject means the person to whom personal information or personal data relates.
• Processing includes collection, receipt, recording, organisation, storage, updating, retrieval, consultation, use, dissemination, transfer, restriction, erasure, destruction, and any other operation performed on information.
• Special Personal Information / Special Categories of Personal Data means information subject to additional legal protection, including where relevant information relating to health, biometric data, religious or philosophical beliefs, race or ethnic origin, trade union membership, sex life or sexual orientation, and criminal behaviour, subject to applicable law.
• AI Systems means artificial intelligence, machine learning, predictive analytics, automation, natural language processing, generative AI, and large language model technologies used by Leera.

Depending on the services used and the nature of the Client relationship, Leera may process the following categories of information:

4.1 Identification and contact information

• Names and surnames;
• Identity, passport, company, or registration numbers;
• Email addresses and telephone numbers;
• Residential, postal, or business addresses;
• Account, customer, policy, or reference numbers.

4.2 Financial services and account information

• Account or loan references;
• Collection, repayment, settlement, or arrears status;
• Payment arrangements and interaction history;
• Affordability, segmentation, risk, or workflow indicators where lawfully supplied by Clients;
• Communication preferences and engagement outcomes.

4.3 Technical, platform, and usage information

• IP addresses and device information;
• Browser and operating system details;
• Authentication data, access timestamps, session logs, and audit trails;
• API, integration, security monitoring, and diagnostic information.

4.4 Communications and AI interaction data

• Conversation inputs and outputs;
• Prompts, templates, and communication content;
• Feedback, quality assurance notes, and model interaction metadata;
• Operational, analytical, and predictive outputs generated through Platform functionality.

Leera does not act as a bank, lender, insurer, credit bureau, debt counsellor, or financial adviser unless expressly stated in a separate written agreement and legally authorised.

We may collect information directly from the relevant person, from Clients and their authorised users, from integrations and service providers, from website and platform usage, from public or regulatory sources where lawful, and from other sources where permitted by applicable law.

Leera processes information only for specific, explicit, and lawful purposes, including to:

• Provide, maintain, support, and improve the Platform and related services;
• Enable customer engagement, communications, collections, repayment, and workflow orchestration;
• Provide analytics, dashboards, segmentation, forecasting, and reporting;
• Detect fraud, misuse, unauthorized access, and security incidents;
• Manage integrations, service delivery, billing, account administration, and supplier relationships;
• Comply with legal, regulatory, contractual, audit, and governance requirements;
• Respond to requests, complaints, disputes, and exercises of rights;
• Communicate with clients and prospective clients about our services where permitted by law.

We will not process personal information for purposes that are incompatible with the original purpose of collection unless permitted or required by law.

7.1 POPIA

Where POPIA applies, Leera processes personal information in accordance with POPIA’s conditions for lawful processing, including accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. Depending on the circumstances, processing may be based on consent, contractual necessity, compliance with law, protection of a legitimate interest of the data subject, pursuit of Leera’s or a Client’s legitimate interests where permitted, or another lawful justification recognised by POPIA.

7.2 GDPR

Where GDPR applies and Leera acts as controller, we rely on one or more lawful bases, including performance of a contract, compliance with legal obligations, legitimate interests, consent, or protection of vital interests where relevant. Where Leera acts as processor, we process personal data on documented instructions from the relevant controller unless otherwise required by law.

7.3 Special categories and children’s data

Where special personal information, special category data, criminal information, or children’s information is processed, this will be done only where a specific legal basis, exemption, authorisation, or other lawful justification applies.

Where Leera collects personal information directly from a data subject for its own purposes, we will provide or make available appropriate notice regarding the identity of the collecting entity, the purpose of collection, whether supply is voluntary or mandatory, the consequences of failing to provide information where relevant, categories of recipients, possible cross-border transfers, the rights available to the data subject, and complaint mechanisms, subject to lawful exceptions.

Where Leera processes information on behalf of Clients, the relevant Client is generally responsible for providing the primary privacy notice to its own customers or end-users, although Leera may support Clients with information reasonably required for those notices.

Leera may disclose or make information available to the following categories of recipients where necessary and lawful:

• Clients and their authorised users;
• Cloud hosting, infrastructure, storage, analytics, communications, and security service providers;
• Professional advisers, auditors, insurers, and financiers bound by confidentiality obligations;
• Integration partners and subprocessors engaged to support service delivery;
• Regulators, courts, supervisory authorities, law enforcement, or other persons where disclosure is required or authorised by law;
• A successor entity, purchaser, or investor as part of a lawful transaction, subject to appropriate protections.

Leera does not sell personal information. Third parties engaged by Leera are required, where applicable, to process information under written obligations addressing confidentiality, security, lawful processing, and restrictions on use.

Personal information may be processed or stored in countries outside South Africa, the European Economic Area, or the country in which the relevant data subject is located where our infrastructure, support operations, or service providers operate internationally.

Where cross-border transfers occur, Leera will take steps appropriate to the applicable law. This may include transfer to jurisdictions recognised as providing an adequate level of protection, the use of binding contractual safeguards, transfer where necessary for contract performance, transfer based on consent where lawful, or another lawful transfer mechanism recognised by POPIA, GDPR, or other applicable law.

Leera implements appropriate technical and organisational measures designed to protect personal information against loss, misuse, unauthorized access, disclosure, alteration, and destruction. Depending on the service and risk context, such measures may include:

• Encryption in transit and at rest where appropriate;
• Role-based access controls and least-privilege permissions;
• Authentication, logging, monitoring, and audit controls;
• Secure development, vulnerability management, patching, and testing processes;
• Segregation of environments and tenant or client separation controls;
• Confidentiality undertakings, training, and incident response procedures.

No method of transmission or storage is completely secure, but we take reasonable and appropriate steps to reduce risk and continuously improve our safeguards.

Leera retains personal information only for as long as reasonably necessary for the purpose for which it was collected or subsequently lawfully processed, or as required by applicable law, contract, audit, security, evidentiary, or dispute-resolution requirements.

At the end of the applicable retention period, personal information may be deleted, de-identified, anonymised where lawful and appropriate, archived where required, or returned to the relevant Client in accordance with contractual arrangements and legal obligations.

13.1 Use of AI technologies

Leera may use AI Systems to assist with communication generation, workflow orchestration, summarisation, prediction, segmentation, prioritisation, quality assurance, and operational insights.

13.2 Human oversight and responsible use

AI-generated outputs may require human review, approval, or validation before operational use, particularly where outcomes may significantly affect individuals. Clients remain responsible for reviewing and governing their own use of Platform outputs in their regulated decision-making environments.

13.3 Client data isolation and restricted use

Leera maintains logical and operational controls intended to keep Client environments separate. We do not intentionally use one Client’s identifiable confidential information to benefit another Client.

13.4 Model improvement

Unless otherwise agreed in writing, Leera will not intentionally use identifiable Client personal information to train shared general-purpose models in a manner inconsistent with law, contract, or client instructions. Leera may use aggregated, statistical, de-identified, anonymised, or non-client-specific operational information for service improvement, security, testing, analytics, and development where lawful and subject to appropriate safeguards.

13.5 Automated decision-making

To the extent required by applicable law, Leera will support appropriate safeguards where solely automated processing is used to make decisions that produce legal effects or similarly significant effects on individuals.

Where Leera sends direct marketing for its own services, we will do so only where permitted by applicable law and will provide an appropriate opportunity to opt out or unsubscribe. Where Clients use the Platform for communications with their own customers, Clients are responsible for ensuring that those communications comply with applicable marketing, consumer, telecommunications, and privacy laws, while Leera may provide tools to support preference management and suppression controls.

Subject to applicable law and our role in the relevant processing, data subjects may have rights to:

• Request access to personal information or personal data;
• Request correction, updating, or rectification of inaccurate or incomplete information;
• Request deletion or erasure where lawful grounds exist;
• Object to or restrict certain processing;
• Withdraw consent where processing is based on consent;
• Request portability of data where applicable under GDPR;
• Lodge a complaint with a supervisory or regulatory authority.

Where Leera acts only as operator or processor for a Client, we may direct the request to the relevant Client or assist the Client in responding, as appropriate.

Leera websites and services may use cookies, pixels, local storage, session tools, analytics technologies, and security-related technologies to enable website functionality, maintain sessions, understand usage, improve performance, detect abuse, and support service administration.

Where required by applicable law, we will request consent for non-essential cookies or similar technologies. Users may also manage browser or device settings, although disabling certain technologies may affect functionality.

Information processed through the Platform is treated as confidential except where it is lawfully public, lawfully obtained from an independent source without confidentiality obligations, or required to be disclosed by law, court order, or competent authority. Leera personnel and service providers with access to relevant information are subject to confidentiality and access-control obligations.

Leera maintains incident response procedures and will take reasonable steps to investigate, contain, assess, and remediate security incidents.

Where Leera acts as operator or processor and becomes aware of a security compromise or personal data breach affecting Client Data, Leera will notify the relevant Client without undue delay or as required by contract or law and provide reasonable cooperation to support legal notification obligations.

Where Leera acts as responsible party or controller and notification is legally required, Leera will notify affected persons and/or competent regulators or supervisory authorities in accordance with applicable law.

The Platform is not intended for use by children unless the relevant processing is specifically authorised, necessary, and lawful. Where children’s information is processed, this will occur only where an appropriate legal basis, consent, authorisation, or other lawful justification applies and with additional safeguards where required.

Leera may maintain additional compliance documentation, including a PAIA manual and internal privacy governance records, where required by law. Requests relating to access, correction, deletion, objections, complaints, and general privacy matters may be directed to the contact details below. Where required under South African law, Leera’s Information Officer or a duly authorised representative will manage privacy and access-to-information enquiries.

Data subjects also have the right, where applicable, to lodge complaints with the Information Regulator in South Africa or with another competent supervisory authority.

Leera may update this Privacy Policy from time to time to reflect changes in law, regulation, technology, security practices, or our services. Updated versions may be published on the Platform or website with a revised effective date. Where required by law, we will provide additional notice of material changes.

For privacy, compliance, or data protection enquiries, contact:

This Privacy Policy is governed by the laws of the Republic of South Africa, subject to any mandatory provisions of other applicable data protection laws, including GDPR where relevant to specific processing activities.