POPIA Privacy Notice

Responsible Party & Information Officer

1. Purpose of this notice

This Privacy Notice explains how Elephant collects, uses, stores, shares and protects personal information, and informs you of your rights as a data subject. It applies to personal information collected through our sales processes, enquiries, quotations, invoices, installations/fitments, warranty support, after-sales service, events and marketing (where applicable), as well as via our website and social media channels.

2. What personal information do we collect

Depending on your interaction with us, we may collect the following categories of personal information:

• Identity and contact details: name, surname, ID/passport number (where required), email address, telephone number, physical address.
• Vehicle and service-related information: vehicle make/model, registration number/VIN (where required for fitment/warranty), photos of the vehicle where needed to supply/fit products.
• Account and transaction information: quotations, invoices, proof of payment, payment references, delivery details, warranty claims and returns.
• Communication records: call notes, emails, WhatsApp messages, web form submissions, support tickets.
• Website/technical data (if you use our website): device and log data, IP address, cookie identifiers and usage analytics (subject to your browser settings and any cookie banner choices we implement).

We aim to collect personal information directly from you. Where we collect information from third parties (for example, a fitment partner, dealership, courier, payment provider, or a referrer), we do so only where permitted by law and for legitimate business purposes.

3. Why we process your personal information (purposes)

• To respond to enquiries and provide quotations.
• To sell, supply, deliver, install/fit and support Elephant products and services.
• To administer orders, payments, returns, warranties and after-sales support.
• To manage customer relationships and maintain service records.
• To comply with legal and regulatory obligations (for example, tax and accounting requirements).
• To protect our legitimate business interests, including fraud prevention, security, and enforcing contractual rights.
• To send marketing communications where you have consented or where permitted by law (and to give you an opt-out).

4. Lawful grounds for processing

We process personal information only where one or more lawful grounds apply under POPIA, including:

• Performance of a contract (or steps at your request prior to entering into a contract), such as providing a quotation, order fulfilment, and warranty support.
• Compliance with a legal obligation (for example, recordkeeping required by tax and company laws).
• Our legitimate interests (or those of a third party) that are not overridden by your interests or fundamental rights, such as operational security, fraud prevention, and service improvement.
• Your consent, where required (for example, certain direct marketing by electronic communication).

5. Mandatory vs voluntary supply of information

Providing certain information is required to enable us to supply products or services (for example, contact details for delivery and billing, and vehicle details for correct fitment). If you do not provide information that is necessary for a specific purpose, we may be unable to process your request or provide the relevant product or service.

6. How we share personal information (recipients and operators)

We may share personal information with the following categories of recipients, only to the extent necessary for the stated purposes and subject to appropriate safeguards:

• Service providers and operators who process information on our behalf, such as cloud/email services, accounting/invoicing systems, CRM tools, and IT support.
• Delivery and logistics providers (couriers) for shipment tracking and delivery.
• Fitment centres, installers, dealerships or partner workshops where they are involved in supplying or fitting products on our instructions or at your request.
• Payment service providers and banks to process payments and reconcile transactions.
• Professional advisers (e.g., auditors, legal advisers) and regulators or law enforcement where required by law.

Where third parties act as "operators" under POPIA, we require appropriate contractual and practical security measures to protect personal information.

7. Cross-border transfers

If we transfer personal information outside South Africa, we will do so only where POPIA permits and with appropriate safeguards to ensure a level of protection that is substantially similar to POPIA.

For example, we use cloud-based software providers for our email and customer relationship management, which may result in your information being stored on servers located in jurisdictions such as the European Union or the United States. We ensure these providers are subject to binding agreements requiring them to protect data in line with POPIA standards.

8. Security safeguards

We implement appropriate technical and organisational measures to safeguard personal information against loss, unauthorised access, disclosure, alteration, or destruction, taking into account generally accepted information security practices and the sensitivity of the information.

If we have reasonable grounds to believe that a personal information security compromise has occurred, we will notify affected data subjects and/or the Information Regulator where required by POPIA.

9. Retention and destruction

We retain personal information only for as long as necessary for the purposes described in this notice, unless a longer retention period is required or permitted by law. (For example, we retain customer transaction records for a period of five years to comply with tax laws. Warranty-related information may be retained for the duration of the warranty period plus any applicable legal prescription periods for claims). When personal information is no longer required, we will securely destroy or de-identify it in accordance with our retention practices.

10. Direct marketing

Where we send direct marketing by electronic communication (such as email, SMS or WhatsApp), we will do so only where permitted by POPIA. You may object to or opt out of direct marketing at any time by using the unsubscribe mechanism in the message or by contacting us at info@elephant4x4.co.za.

11. Your rights as a data subject

Subject to POPIA and any applicable exemptions, you may:

• Request confirmation of whether we hold personal information about you and request access to that information.
• Request correction, destruction, or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
• Object to the processing of your personal information on reasonable grounds, including objection to direct marketing.
• Withdraw consent where processing is based on consent (without affecting the lawfulness of processing before withdrawal).
• Lodge a complaint with the Information Regulator.

12. How to exercise your rights

To exercise your rights, contact our Information Officer using the details above. We may request sufficient information to verify your identity and to understand and process your request. We will respond within timeframes required by applicable law.

13. Complaints to the Information Regulator

If you believe your personal information has been processed in a manner that violates POPIA, you may lodge a complaint with the Information Regulator (South Africa):

• Email (POPIA complaints): POPIAComplaints@inforegulator.org.za
• Website: https://inforegulator.org.za

The Regulator’s complaint forms and guidance are available on its website.

14. Changes to this notice

We may update this notice from time to time to reflect changes in our processing activities or legal requirements. The latest version should be made available on request and (if applicable) on our website.

15. Effective date

Effective date: 21 January 2026

References (authoritative sources)

• Protection of Personal Information Act 4 of 2013 (POPIA) – Department of Justice and Constitutional Development: https://www.justice.gov.za/legislation/acts/2013-004.pdf
• Information Regulator (South Africa) – Contact and POPIA complaints channel: https://inforegulator.org.za/contact-us/
• Information Regulator – POPIA Regulations (POPIA-2021 Regulations finalised 21 Jan 2025): https://inforegulator.org.za/wp-content/uploads/2025/04/POPIA-2021-Regulations-FINAL-21-Jan-2025.pdf