1.1 Applicable law

This Policy is compiled in accordance with:

• Protection of Personal Information Act, 4 of 2013 ("POPIA")
• Promotion of Access to Information Act, 2 of 2000 ("PAIA")
• Electronic Communications and Transactions Act, 25 of 2002 ("ECTA")
• Consumer Protection Act, 68 of 2008 ("CPA")
• Financial Intelligence Centre Act, 38 of 2001 ("FICA"), where applicable

1.2 Key definitions

• "Personal Information" bears the meaning assigned under POPIA and includes information relating to an identifiable, living natural person or existing juristic person.
• "Processing" includes the collection, receipt, recording, storage, updating, modification, retrieval, use, dissemination, restriction, deletion, or destruction of Personal Information.
• "Responsible Party" is GP Holding (Pty) Ltd, which determines the purpose and means of processing.
• "Operator" means a third party that processes Personal Information on our behalf under written contract.
• "Information Officer" is the person designated under section 56 of POPIA. By default the Information Officer is the head of the Company, contactable via the details in section 13.

We collect information directly from you, automatically through your use of the Platform, from vendors and operators acting on our behalf, and from approved third-party verification providers.

2.1 Account and identity information

• Full legal names
• Email addresses
• Mobile telephone numbers
• Billing and delivery addresses
• User account credentials (passwords are stored hashed and salted)

2.2 Regulatory verification information

For regulated goods or services, including age-restricted products and transactions triggering FICA obligations, we may request statutory identifiers such as South African Identity Numbers or passport numbers. Identifiers submitted for verification are transmitted to an accredited third-party verification provider; the identifier itself is not retained in our operational systems once verification completes, unless retention is required by law. FICA-triggering identity data is retained for 5 years from the end of the business relationship, as required.

2.3 Transaction and marketplace information

• Shopping cart and wishlist activity
• Purchase history and order metadata
• Refund and return records
• Internal wallet transactions
• Vendor payout references and settlement records
• Customer support interactions and correspondence
• Product reviews and ratings you publish

2.4 Technical and usage information

• IP addresses
• Browser, device, and operating system information
• Session identifiers and authentication tokens
• Approximate geolocation inferred from IP and network telemetry
• Diagnostic, performance, and security logs
• Cookie and tracking identifiers (see Cookies Policy)

2.5 Information from third parties

• Verification outcomes from accredited verification providers
• Fraud and risk signals from payment processors and risk providers
• Logistics and tracking information from delivery partners
• Vendor onboarding information from our vendor application process

We process Personal Information only where one of the lawful grounds in section 11 of POPIA applies.

3.1 Performance of a contract (POPIA s 11(1)(b))

Creating and maintaining user accounts, processing orders, payments, and refunds, facilitating logistics and delivery, authenticating user sessions, operating marketplace and vendor-payout functionality, and providing customer support.

3.2 Legal or regulatory obligation (POPIA s 11(1)(c))

Verifying eligibility for regulated or age-restricted products, preventing unlawful transactions, maintaining financial and accounting records as required by law, and responding to lawful regulatory or law-enforcement requests.

3.3 Legitimate interests (POPIA s 11(1)(f))

Improving Platform stability, performance, and security; detecting and preventing fraud and abuse; conducting analytics and infrastructure monitoring; and defending and exercising legal claims. You may object to processing based on legitimate interests at any time using the channels in section 11.

3.4 Consent (POPIA s 11(1)(a))

Direct marketing to non-customers, non-essential cookies and analytics, and optional personalisation features. Consent may be withdrawn at any time without affecting processing conducted before withdrawal.

4.1 Infrastructure and security

We implement administrative, technical, and organisational safeguards including encryption of Personal Information in transit (TLS 1.2 or higher), encryption of sensitive data at rest, role-based access controls, multi-factor authentication for administrative access, activity logging and security monitoring, regular security testing, and documented incident response procedures.

We do not sell Personal Information. We do not share Personal Information with third-party data brokers.

4.2 Payment information

The Platform does not directly store or process complete payment card numbers, CVV numbers, or raw banking credentials. All payment transactions are processed through independently operated, PCI-DSS compliant payment processors. Only token references issued by the processor are stored.

4.3 Retention schedule

We retain Personal Information only for as long as necessary for the purposes for which it was collected, or as required by law:

4.4 Account deletion

You may close your account at any time through Platform account settings or by contacting the Information Officer. On closure, login access is disabled immediately, profile data is anonymised within 90 days, transaction records are retained per the schedule above, and marketing data is suppressed immediately and deleted within 30 days.

We share Personal Information only in the following circumstances:

• Operators: Payment processors, logistics partners, cloud infrastructure providers, fraud-prevention providers, communications providers, and analytics providers, all under written operator agreements.
• Vendors on the marketplace: Only the information vendors require to fulfil your order (name, delivery address, contact number for delivery coordination, order details). Vendors are contractually prohibited from using this information for any other purpose.
• Professional advisors: Auditors, attorneys, and accountants under professional confidentiality obligations.
• Law enforcement and regulators: Where compelled by lawful process or where disclosure is necessary to prevent serious harm or substantial financial loss.
• Successor entities: In the event of a merger, acquisition, restructuring, or sale of assets, subject to the recipient agreeing to honour this Policy.
• With your consent: For any disclosure outside the categories above.

Certain operators and service providers process limited Personal Information outside South Africa. Where cross-border processing occurs, we comply with section 72 of POPIA by ensuring at least one of the following applies: the recipient is subject to a law or binding agreement that upholds principles substantially similar to POPIA; you have consented to the transfer; the transfer is necessary for the performance of a contract between you and us; or the transfer is for your benefit and obtaining consent is not reasonably practicable.

The categories of data most commonly transferred are technical telemetry and aggregated or pseudonymised analytics data. You may request information about specific cross-border transfer safeguards by contacting the Information Officer.

In the event of a security compromise affecting Personal Information, the Company will:

• Contain and investigate the incident within 72 hours of detection
• Notify the Information Regulator as soon as reasonably possible after discovery, in compliance with section 22 of POPIA
• Notify affected Data Subjects in writing where the breach poses a risk to their rights or interests

Notifications will include the nature of the breach, categories of information affected, steps taken or recommended, contact details for further information, and whether the Information Regulator has been notified.

We send direct marketing only where you have given consent, you are an existing customer and the marketing relates to similar products to those you purchased and you have not opted out, or applicable law otherwise authorises the communication.

Every electronic marketing message will include a free, functional unsubscribe mechanism, in compliance with section 45 of ECTA and section 69 of POPIA. You may withdraw consent at any time without affecting the lawfulness of prior processing.

The Platform is not intended for persons under 18 years of age. We do not knowingly process Personal Information of children except where prior, verifiable, and informed consent has been obtained from a competent person, in accordance with section 34 of POPIA.

If we become aware that we have processed a child's Personal Information without the required consent, we will delete the information without undue delay. If you believe a child's Personal Information has been provided to us, please contact the Information Officer.

We use automated systems to support fraud detection, risk scoring, payment authorisation, and account-security decisions. Where a decision based solely on automated processing produces legal effects or significantly affects you, you have the right under section 71 of POPIA to request that the decision be reviewed by a person, receive an explanation of the reasoning, and make representations about the decision. Requests should be directed to the Information Officer.

Subject to the conditions and exemptions in POPIA and PAIA, you may:

• Request confirmation that we hold your Personal Information, and request access to it (POPIA s 23; PAIA process)
• Request correction or deletion of inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading, or unlawfully obtained information (POPIA s 24)
• Object to processing based on legitimate interests or for direct marketing (POPIA s 11(3); s 69)
• Withdraw consent where processing is based on consent (POPIA s 11(2)(b))
• Lodge a complaint with the Information Regulator (POPIA s 74)

Submit a written request to the Information Officer using the contact details in section 13. We will respond within 30 days of receipt in accordance with section 25 of PAIA, unless a lawful extension applies.

We may update this Policy from time to time. The effective date and version number at the top will be updated when changes are made. Non-material changes take effect on publication. Material changes will be notified to account holders by email or in-Platform notice at least 14 days before taking effect. Archived versions are available on request.

Responsible Party
GP Holding (Pty) Ltd t/a Offers On
1 Yarmouth Rd, Mulbarton, Johannesburg South, 2059

Information Officer
The Information Officer is, by default in terms of POPIA, the head of the Company. Correspondence may be addressed to:

• Email: info@gpholding.co.za (mark for attention: Information Officer)
• Telephone: 011 613 1052
• Postal: 1 Yarmouth Rd, Mulbarton, Johannesburg South, 2059

If you believe your Personal Information has been processed unlawfully and you are dissatisfied with our response, you may lodge a complaint with:

Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Website: inforegulator.org.za
Email: POPIAComplaints@inforegulator.org.za