Privacy policy

Last Updated: 31 May 2026

PREAMBLE

This Privacy Policy "Policy" is published by Kora Consulting (Pty) Ltd (Registration No. K2025980746 "Kora Consulting", "the Company", "we", "us", or "our"), a private company duly incorporated in accordance with the laws of the Republic of South Africa, with its registered office at .

This Policy is published in compliance with the provisions of the Protection of Personal Information Act 4 of 2013 "POPIA", the Promotion of Access to Information Act 2 of 2000 "PAIA", the Electronic Communications and Transactions Act 25 of 2002 "ECTA”, the Consumer Protection Act 68 of 2008 "CPA”, and all other applicable South African legislation and common law principles governing the processing, protection, and disclosure of personal information.

This Policy governs the collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, alteration, consultation, use, dissemination, distribution, and merging or linking, as well as the blocking, degradation, erasure, or destruction of personal information of natural and juristic persons "data subjects" who interact with Kora Consulting through any channel, including but not limited to our website, email communications, telephonic engagement, in-person meetings, contractual engagements, procurement processes, and recruitment activities."

BY ACCESSING OUR WEBSITE, SUBMITTING AN ENQUIRY, ENGAGING OUR SERVICES, APPLYING FOR A POSITION, OR OTHERWISE INTERACTING WITH KORA CONSULTING, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS POLICY. IF YOU DO NOT AGREE WITH ANY PROVISION OF THIS POLICY, YOU MUST IMMEDIATELY CEASE INTERACTION WITH KORA CONSULTING.

1. DEFINITIONS AND INTERPRETATION,

1.1   In this Policy, unless the context indicates otherwise, the following terms shall bear the meanings assigned to them below, and cognate expressions shall bear corresponding meanings:

· "Act" - the Protection of Personal Information Act 4 of 2013, as amended from time to time.

· "Biometric Information" - personal information of a biological nature, including but not limited to blood type, fingerprints, DNA, retinal scans, voice recognition, and facial recognition,

· "Company" - Kora Consulting (Pty) Ltd Registration No. K2025980746,

· "Consent" - any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information,

· “Data Subject" - the natural person or juristic person to whom personal information relates,

· "De-identify" - o delete any information that identifies the data subject or could reasonably be used to identify the data subject from a record or collection of records, while retaining the information in a form that may be re-identified,

· "Deputy Information Officer" - Joshua Zumbika, in his capacity as Operations Director of the Company or such other person as may be designated from time to time,

· "Information Officer" - Nthato Leboli, in his capacity as Managing Director of the Company, or such other person as may be designated from time to time,

· "Information Regulator" - the Information Regulator established in terms of section 39 of the Act,

· "Operator" - a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that responsible party,

· "PAIA" - he Promotion of Access to Information Act 2 of 2000, as amended,

· "Personal Information" – information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, as more fully defined in section 1 of the Act,

· "Processing" - any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; dissemination by means of transmission, distribution or making available in any other form; or merging, linking, as well as blocking, degradation, erasure or destruction of information,

· "Record" - any recorded information regardless of form or medium, including writing on any material; information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored; label, marking or other writing that identifies or describes anything of which it forms part,

· "Responsible Party" - Kora Consulting (Pty) Ltd, being the public or private  or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information,

· "Special Personal Information" - personal information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behaviour of a data subject,

· "Website" - the Company's website accessible at www.koraconsulting.co.za and all associated subdomains, pages, and digital platforms operated by the Company,

  1.2   In this Policy:

·  The singular includes the plural and vice versa;

·  A reference to any gender includes a reference to all genders;

· A reference to a natural person includes a juristic person and vice versa;

· A reference to a statute, regulation, or other legislative instrument includes any amendment thereto or re-enactment thereof;

· The headings to sections and subsections are for convenience only and shall not affect the interpretation of this Policy;

· Where any number of days is prescribed, those days shall be calendar days unless otherwise specified.

2. RESPONSIBLE PARTY

IDENTITY AND CONTACT DETAILS OF THE RESPONSIBLE PARTY

2.1   The responsible party for the purposes of the Act is:

·       Information Officer: Nthato Leboli | nthato@koraconsulting.co.za

·       Deputy Information Officer: Joshua Zumbika  |  joshua@koraconsulting.co.za

·       General Correspondence: info@koraconsulting.co.za  |  www.koraconsulting.co.za

2.2   The Information Officer has been duly designated in terms of section 55 of the Act and section 17 of PAIA, and is responsible for the encouragement of compliance by the Company with the conditions for the lawful processing of personal information, dealing with requests made to the Company pursuant to the Act, working with the Information Regulator in relation to investigations, and otherwise ensuring compliance with the provisions of the Act.",

3. SCOPE

3.1   This Policy applies to all personal information processed by Kora Consulting in its capacity as responsible party, including personal information processed by operators engaged by the Company. It applies regardless of the medium in which such personal information is held.

3.2  This Policy applies to the following categories of data subjects whose personal information is processed by the Company:

·       Clients and client representatives with whom the Company has concluded or is in the process of concluding engagement agreements;

· Prospective clients and business development contacts who have engaged with the Company or been contacted by the Company in the course of business development activities;

· Team members and associate consultants engaged by the Company on a permanent or project basis;

·  Candidates for Independent Non-Executive Director positions on the Company's advisory board;

· Service providers, suppliers, and professional advisors engaged by the Company;

· Visitors to the Company's Website;

·  Any other natural or juristic persons whose personal information is processed by the Company in the course of its operations.

3.3   Where this Policy applies to juristic persons, it applies to the extent that the information constitutes personal information of a juristic person within the meaning of section 1 of the Act.

 

4. LAWFUL PROCESSING CONDITIONS

4.1  The Company processes personal information in accordance with the eight conditions for lawful processing set out in Chapter 3 of the Act. These conditions are:",

            4.1.1 Accountability

 The Company, as the responsible party, gives effect to the conditions established in  Chapter 3 of the Act and takes reasonable practicable measures to ensure that the  conditions are complied with by any operator that processes personal information on       behalf of the Company.

 4.1.2 Processing Limitation

The Company processes personal information only if the processing satisfies one or  more of the following grounds:

·       The data subject or a competent person where the data subject is a child, consents to the processing;

·       Processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;

·       Processing complies with an obligation imposed by law on the responsible party;

·       Processing protects a legitimate interest of the data subject;

·       Processing is necessary for the proper performance of a public law duty by a public;

·       Processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied, unless such interests are overridden by the legitimate interests of the data subject to have their personal information protected.

            4.1.3  Purpose Specification

 The Company collects personal information only for a specific, explicitly defined, and lawful purpose related to a function or activity of the Company. The Company does not  process personal information in a manner that is incompatible with the purpose for  which it was collected. The purpose of collection is communicated to data subjects at   or before the time of collection.

            4.1.4  Further Processing Limitation

The Company does not process personal information for a secondary purpose unless such further processing is compatible with the original purpose of collection, having regard to all relevant factors, including the relationship between the original and   proposed further processing purposes, the nature of the personal information, the likely consequences of the further processing for the data subject, the manner in which the personal information was collected, and any contractual or statutory obligations of confidentiality.

            4.1.5. Information Quality

 The Company takes reasonably practicable steps to ensure that all personal         information collected is complete, accurate, not misleading, and updated where         necessary, having regard to the purpose for which the personal information was   collected or further processed.

            4.1.6. Openness

 The Company maintains documentation of all processing operations in terms of    section 18 of the Act, and notifies data subjects prior to or at the time of collection of  personal information. This Policy, together with the Company's PAIA Manual,  constitutes the primary mechanism through which the Company gives effect to its obligation of openness.

            4.1.7. Security Safeguards

 The Company implements appropriate, reasonable, technical, and organisational measures to prevent loss of, damage to, or unauthorised destruction of personal  information, and to prevent unlawful access to or processing of personal information.These measures are described in section 11 of this Policy.

            4.1.8. Data Subject Participation

The Company gives effect to the rights of data subjects to request access to, correction   of, and deletion of their personal information as more fully described in section 13 of this Policy.

 

5. CATEGORIES OF PERSONAL INFORMATION

5.1 The Company collects and processes the following categories of personal information, depending on the nature of the relationship with the data subject:

5.2 Clients and Client Representatives

·       Full names and identity or passport numbers;

·       Contact details including email addresses, telephone numbers, and physical addresses;

·       Company registration numbers and VAT numbers;

·       Banking and payment details for invoicing and payment processing;

·       Correspondence, instructions, approvals, and engagement-related communications;

·       Any personal information voluntarily disclosed in the course of receiving consulting, research, advisory, or related services;

·       Information contained in signed engagement agreements, non-disclosure agreements, and service-level agreements.

 5.3 Team Members

·       Full names, identity numbers, and residential addresses;

·       Contact details, qualifications, and professional certifications;

·       Employment history and professional references;

·       Banking details for remuneration and expense reimbursement purposes;

·       Performance records, appraisal documentation, and engagement deliverables;

·       Tax reference numbers and compliance information as required by applicable legislation;

·       Emergency contact information;

·       Any other information required to administer the employment or engagement relationship.

5.4 Service Providers and Suppliers

·       Full names or registered company names and registration numbers;

·       VAT registration numbers and B-BBEE compliance certificates;

·       Contact details and correspondence;

·       Banking details for payment processing;

·       Signed contracts, service-level agreements, and procurement documentation.

5.6. Website Visitors and Digital Channel Users

·       Internet Protocol IP addresses and browser and device type information, collected automatically through standard web server technology and analytics tools;

·       Contact form submissions including name, email address, and enquiry content;

·       Any personal information voluntarily provided in the course of submitting an enquiry or interacting with the Company's digital channels.

5.7 The Company does not intentionally collect Special Personal Information as defined in section 26 of the Act. Should any Special Personal Information be inadvertently received, the Company will take all reasonably practicable steps to either obtain the appropriate consent for its processing or securely destroy such information without further processing.",

5.8 The Company does not process the personal information of children under the age of 18 eighteen years unless permitted to do so in terms of section 35 of the Act, and shall in all cases obtain the consent of a competent person where required.

 

6. PURPOSE OF PROCESSING

6.1 The Company processes personal information for the following specific and lawful purposes:

·       To conclude, administer, and perform engagement agreements with clients, including the delivery of management consulting, financial analysis, market research, risk advisory, operational improvement, and related professional services;

·       To manage employment and engagement relationships with team members and associate consultants, including for payroll administration, performance management, and compliance with labour legislation;

·       To conduct the recruitment, assessment, and appointment of Independent Non-Executive Directors to the Company's advisory board, including the processing of applications, reference checks, and governance compliance;

·       To comply with all applicable South African statutory and regulatory obligations, including obligations arising under the Companies Act 71 of 2008, the Income Tax Act 58 of 1962, the Basic Conditions of Employment Act 75 of 1997, the Labour Relations Act 66 of 1995, PAIA, POPIA, and the General Laws Anti-Money Laundering and Combating Terrorism Financing Amendment Act 22 of 2022;

·       To process payments to service providers, suppliers, and team members, and to receive payments from clients;

·       To conduct business development activities, including the preparation and submission of proposals and capability statements to prospective clients;

·       To maintain governance, compliance, and regulatory records as required by law, including the beneficial ownership register, securities register, and PAIA annual reports;

·       To respond to enquiries, requests for proposals, requests for information, and general correspondence submitted through any channel;

·       To exercise or protect the legal rights and legitimate interests of the Company in any legal proceedings or regulatory process;

·       To register and maintain the Company's accounts with regulatory bodies, government institutions, and supply chain databases.

6.2 The Company does not process personal information for any purpose other than those listed in section 6.1 above or as otherwise permitted by the Act. Any proposed further processing of personal information for a new or different purpose will be assessed for compatibility with the original purpose of collection before any such further processing takes place.

 

7. DISCLOSURE

7.1  The Company does not sell, rent, trade, or otherwise make available personal information to third parties for commercial or marketing purposes.

7.2 The Company may disclose personal information to the following categories of third parties, strictly to the extent necessary for the purposes identified in section 6 above:

            7.2.1. Regulatory and Governmental Authorities

            The Company may be required by law to disclose personal information to the following    authorities:

·       South African Revenue Service SARS — for income tax, PAYE, VAT, and related tax      compliance obligations;

·       Companies and Intellectual Property Commission CIPC — in connection with company registration, annual return filings, and beneficial ownership disclosure;

·       Information Regulator of South Africa — for the purposes of PAIA and POPIA compliance, including the submission of PAIA annual reports and the management of data subject complaints;

·       South African Qualifications Authority SAQA — for the verification of academic and professional qualifications where applicable;

·       Department of Employment and Labour — for the purposes of UIF and other statutory compliance obligations;

·       Any court, tribunal, arbitration panel, or regulatory authority of competent jurisdiction, to the extent required by a lawful order or legal process.

 7.2.2. Operator

            The Company may engage operators to process personal information on its behalf, including providers of cloud storage, email hosting, accounting software, payroll platforms, and professional advisory services. All operators are required to:

·       Process personal information only on the written instructions of the Company;",

·       Maintain appropriate security measures in respect of all personal information processed;

·       Not engage any sub-operator without the prior written consent of the Company;

·       Comply with all applicable provisions of the Act.",

            The Company gives effect to this requirement through operator agreements or data         processing addenda concluded with all relevant operators.",

            7.2.3. Professional Advisors

·       The Company may disclose personal information to its legal advisors, auditors, and accounting practitioners on a strictly confidential and need-to-know basis, to the extent necessary for the provision of professional services to the Company.

7.2.4   Where the Company is required to disclose personal information pursuant to a  legal obligation or court order, the Company will, to the extent permitted by law, notify the affected data subject of such disclosure.

8. TRANSBORDER FLOWS

8.1 The Company does not currently transfer personal information outside the Republic of South Africa. All personal information collected by the Company is processed and stored within the territorial jurisdiction of the Republic of South Africa.

8.2 Notwithstanding section 8.1, should the Company at any future stage contemplate the transfer of personal information to a recipient in a foreign country, such transfer shall only be effected in compliance with section 72 of the Act, which requires that:

·       The recipient country has in place adequate data protection legislation that provides a substantially similar level of protection to that afforded by the Act;

·       The data subject has consented to the transfer; or

·       The transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject's request.

8.3   In the event of any proposed transborder transfer of personal information, the Company will update this Policy to reflect the nature, purpose, and destination of such transfer, and will take all steps required by the Act to lawfully effect the same.

 

9. RETENTION

9.1   The Company retains personal information only for as long as is necessary to fulfil the specific purpose for which it was collected, or as required or permitted by applicable legislation.

9.2    Subject to section 9.3, the Company's retention periods are as follows:

·       Client engagement records: for the duration of the engagement and a minimum of five years thereafter;

·       Employment and engagement records: for the duration of the engagement and a minimum of five years thereafter;

·       iNED application records: for the duration of the board tenure and a minimum of three years after tenure ends; unsuccessful applications retained for a maximum of 12 months;

·       Financial and tax records: minimum of five years as required by the Income Tax Act;

·       Compliance and regulatory records: for the period required by the applicable legislation.

9.3 Notwithstanding the retention periods set out in section 9.2, the Company may retain personal information for a longer period where:

·       Retention is required by applicable legislation;

·       The information is the subject of an ongoing legal dispute, investigation, or regulatory proceeding;

·       The data subject has given consent to extended retention

9.4   Upon expiry of the applicable retention period, the Company shall destroy or de-identify personal information in a secure and irreversible manner, subject to section 9.3 above.",

 

10. SECURITY

10.1 Pursuant to section 19 of the Act, the Company implements appropriate, reasonable, technical, and organisational measures to secure the integrity and confidentiality of personal information in its possession and under its control. These measures are designed to prevent:

·       Loss of, damage to, or unauthorised destruction of personal information; and

·       Unlawful access to, or processing of, personal information.",

10.2   The Company's current information security measures include, without limitation:

·       Password-protected access to all company email accounts, cloud storage platforms, and internal systems;

·       Two-factor authentication "2FA” implemented across all email accounts, being the Company's primary email and collaboration platform;

·       Role-based and need-to-know access controls limiting access to sensitive personal information to authorised personnel only;

·       Confidentiality obligations imposed on all team members through engagement contracts and the Company's Confidentiality and Non-Disclosure Policy;

·       Physical security measures governing the access to and storage of hard-copy records containing personal information;

·       Regular review and update of access permissions and security configurations as the Company's operations develop.

  10.3   Notification of Security Compromise

10.3.1   In the event that the Company reasonably believes that the personal information of a data subject has been accessed or acquired by any unauthorised person, the Company shall:

·       Notify the Information Regulator as soon as reasonably possible after discovery of the compromise, in accordance with section 22 of the Act;

·       Notify the affected data subjects of the compromise unless the identity of the data subjects cannot be established; and

·       Take all reasonably practicable steps to restore the integrity and security of the affected personal information.

10.3.2   Notification to data subjects shall include a description of the possible consequences of the security compromise, the measures taken to address the compromise, and a recommendation of measures to be taken by the data subject to mitigate the potential adverse effects of the compromise.

10.4 Operator Security Obligations. Any operator engaged by the Company to process personal information on its behalf shall be required, by contract, to implement and maintain appropriate security measures equivalent to or greater than those maintained by the Company itself, in accordance with section 21 of the Act.",

 

11. DATA SUBJECT RIGHTS

11.1 Subject to the limitations and exceptions provided for in the Act, data subjects whose personal information is processed by the Company enjoy the following rights:

            11.1.1. Right to Notification Section 18 of the Act

            A data subject has the right to be notified that the Company intends to collect their personal information or, where personal information is collected from another source, as soon as reasonably practicable thereafter. Such notification shall include the    information prescribed in section 181 of the Act, including the identity of the responsible party, the purpose of collection, and the rights available to the data subject.

            11.1.2. Right of Access Section 23 of the Act

A data subject has the right to request confirmation of whether or not the Company holds personal information about them, and to request access to that information.    Requests for access must be submitted in writing to the Information Officer and will be     processed in accordance with the procedures set out in the Company's PAIA Manual.

            11.1.3. Right to Correction or Deletion Section 24 of the Act

            A data subject has the right to request the correction or deletion of personal information   that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or  obtained unlawfully. The Company shall, upon receipt of a valid request, correct or  delete the relevant information as soon as reasonably practicable.

            11.1.4. Right to Object Section 113 of the Act

            A data subject has the right, at any time, to object to the processing of their personal  information by the Company:

·       On reasonable grounds relating to their particular situation, where the processing is   based on the legitimate interests of the Company or a third party; and

·       At any time, where processing is for direct marketing purposes.

            Upon receipt of a valid objection, the Company shall cease processing the relevant personal information unless the Company can demonstrate compelling legitimate  grounds for the processing that override the interests, rights, and freedoms of the data     subject.

            11.1.5. Right to Withdraw Consent Section 111a of the Act

            Where processing is based on the consent of the data subject, the data subject has the right to withdraw their consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

            11.1.6. Right to Lodge a Complaint

            A data subject who believes that the Company has processed their personal         information in contravention of the Act has the right to lodge a complaint with the      Information Regulator of South Africa. The contact details of the Information Regulator     are set out in section 15 of this Policy.

11.2   Requests in terms of sections above must be submitted in writing to Information Officer.

11.4   The Company will respond to all valid requests within a reasonable period, which shall not exceed 30 thirty days from receipt of the request, unless an extension is warranted in terms of the Act.

 

12. COOKIES

12.1   The Company's website may use cookies and similar tracking technologies "Cookies" to improve the functionality and user experience of the Website. Cookies are small data files placed on a user's device by a web server.

12.2   The Company may use the following categories of Cookies:

·       Strictly necessary Cookies, which are required for the operation of the Website and cannot be switched off without affecting the functionality thereof;

·       Performance and analytics Cookies, which collect information about how users interact with the Website, including the pages visited and any error messages received, for the purpose of improving Website performance;

·       Functionality Cookies, which remember preferences and choices made by the user to improve the user experience.

12.3   Users may control or disable Cookies through their browser settings. However, disabling certain Cookies may impair the functionality of the Website.

12.4  The Company does not use Cookies for the purpose of tracking users across third-party websites or for behavioural advertising.

 

13. AMENDMENTS

13.1   The Company reserves the right to amend, update, or replace this Policy at any time, in response to changes in applicable legislation, developments in the Company's operations, or changes in standard practice. Any amendments shall take effect upon publication of the updated Policy on the Company's Website.

13.2   The date of the most recent amendment appears at the top of this Policy. It is the responsibility of data subjects and all other persons interacting with the Company to periodically review this Policy.

13.3   Where an amendment materially affects the manner in which personal information of existing data subjects is processed, the Company shall take reasonable steps to notify those data subjects of the amendment prior to it taking effect.

14. GOVERNING LAW

14.1   This Policy is governed by and shall be construed in accordance with the laws of the Republic of South Africa. Any dispute arising from or in connection with this Policy, including any question as to its existence, validity, or termination, shall be subject to the exclusive jurisdiction of the courts of the Republic of South Africa.

14.2   Nothing in this Policy shall be construed to limit or restrict any right conferred on a data subject by the Act or any other applicable legislation.

 

15. REGULATOR

Data subjects who wish to lodge a complaint, obtain information about their rights, or contact the Information Regulator may do so through the following channels:

·       Name: Information Regulator of South Africa

·       Physical Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

·       Postal Address: P.O. Box 31533, Braamfontein, Johannesburg, 2017

·       Email: inforeg@justice.gov.za

·       Website: www.inforegulator.org.za