Last Update: September 2025

Introduction

This Privacy Policy is issued by and applies to JEM RSA OPCO (PTY) LTD, a private company registered and incorporated in accordance with the company laws of the Republic of South Africa, with registration number 2022/880649/07, together with all of its Affiliates (“JEM”, “we”, “us”, or “our”).

JEM is committed to protecting the privacy and Personal Information of visitors to our Website, as well as employees, employers, and other users (“you” or “your”) who make use of the JEM Services.

We recognise and respect the importance of data protection and are committed to complying with all Data Protection Laws applicable to the processing of Personal Information in South Africa, including the Protection of Personal Information Act, 4 of 2013 (“POPIA”), and, where relevant, data protection laws of other jurisdictions in which we operate (collectively, the “Data Protection Laws”).

This Privacy Policy describes our practices for collecting, using, storing, and disclosing Personal Information when you:

• register, log in, access, or use the JEM Platform, our Website located at www.jemhr.com, any content we own or operate, or any of the JEM Services (collectively, the “JEM Services”); or
• otherwise interact with us in circumstances that require the collection, use, or disclosure of your Personal Information.

By accessing, browsing, or using the JEM Services, you confirm that you have read, understood, and agree to be bound by this Privacy Policy.

Your continued use of the JEM Services after any amendments to this Privacy Policy constitutes your acceptance of the revised terms.

This Privacy Policy applies to all users of the JEM Services, including individuals, entities, and any other parties accessing or interacting with the Website, the JEM Platform, any content we own or operate, or any other related services forming part of the JEM Services.

Purpose of this Privacy Policy

This Privacy Policy explains what Personal Information we collect from you, how we use it, and the circumstances in which we may disclose it, in compliance with the Data Protection Laws.

By accessing our Website, using the JEM Services, or engaging in any activity that requires the collection, use, or disclosure of your Personal Information, you acknowledge that you have read and understood this Privacy Policy and that you have been informed of how we collect, use, and disclose your Personal Information.

This Privacy Policy is also intended to inform you of your rights in relation to your Personal Information and is intended to help you make informed decisions when using the JEM Services.

This Privacy Policy must be read together with any applicable agreements or terms entered into between you and JEM, including the Terms and Conditions and the Service Level Agreement, and forms part of those terms by reference.

Privacy Statement

Legal Justification for Processing Personal Information

Unless otherwise indicated, the Processing of Personal Information refers to the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, restriction, erasure, or destruction of Personal Information, as defined under the Data Protection Laws.

Where there is any inconsistency or conflict between applicable Data Protection Laws, the provisions of POPIA shall prevail for Processing activities taking place within the Republic of South Africa, unless otherwise required by the laws of another applicable jurisdiction.

For the purposes of this Privacy Policy:

• “Personal Information” has the meaning assigned to it under the Data Protection Laws, and includes information relating to an identifiable, living natural person, and where applicable, an identifiable, existing juristic person, including but not limited to information relating to race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language, birth, education, medical, financial, criminal or employment history, an identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person, biometric information, personal opinions, views or preferences, correspondence, and the name of the person if it appears with other Personal Information or if disclosure of the name itself would reveal information about the person; and
• “Processing” has the meaning assigned to it under the Data Protection Laws, and includes any operation or activity, whether or not by automatic means, concerning Personal Information.

In accordance with the Data Protection Laws, we will only Process your Personal Information if at least one of the following legal bases applies:

• Consent: You have given your voluntary, specific, and informed consent to the Processing of your Personal Information for one or more purposes. You may withdraw your consent at any time, without affecting the lawfulness of Processing prior to such withdrawal, by following the process outlined in this Privacy Policy.
• Performance of a Contract: Processing is necessary to conclude or perform a contract to which you are a party, or to take steps at your request before entering into such a contract, and includes the establishment, management, and fulfilment of your relationship with JEM under the Terms of Service and/or Service Level Agreement, the provision and ongoing administration of the JEM Services and access to the JEM Platform, the performance of related support, operational, payroll, compliance, and employee-benefit functions, the transfer of Personal Information to JEM Service Partners and other third parties where required for the proper performance of the JEM Services, and any cross-border transfers of Personal Information strictly necessary for the conclusion or performance of a contract in the interest of the data subject, as contemplated in Section 71(1)(d) of POPIA.
• Legal Obligation: Processing is necessary to comply with an obligation imposed by law, including obligations under the Data Protection Laws, the Financial Intelligence Centre Act (“FICA”), anti-money laundering (“AML”) and counter-terrorism financing (“CTF”) legislation, tax laws, and any applicable court order or regulatory directive.
• Legitimate Interest: Processing is necessary for pursuing the legitimate interests of JEM or of a third party to whom the Personal Information is supplied, except where such interests are overridden by your rights to privacy as protected under the Data Protection Laws. Where we rely on this basis, we will ensure that such Processing is proportionate, limited to what is necessary, and carried out in a manner that respects your rights under the Data Protection Laws.
• Protection of a Legitimate Interest of the Data Subject: Processing is necessary to protect your legitimate interests, or the legitimate interests of another person, in urgent or emergency circumstances.

Categories and Types of Personal Information We Collect

To provide the JEM Services securely and in compliance with legal and regulatory obligations, we collect and Process Personal Information primarily through electronic means, in accordance with the Data Protection Laws.

This includes information you provide directly through our Website, the JEM Platform, or through written or electronic communications, particularly during the onboarding process and throughout your relationship with us; information we collect automatically as you interact with the JEM Services; and information provided to us by your employer in connection with the provision of the JEM Services.

If you wish to use any of the JEM Services, we will collect and retain certain relevant information about you, including Personal Information, as is reasonably necessary for us to provide the JEM Services, comply with our legal obligations, and protect our legitimate interests.

The categories and types of Personal Information we may collect include, but are not limited to:

• Identification Information: Full name; date of birth; nationality; government-issued identification (passport, national ID, driver’s license); passport/ID numbers; address; signature.
• Contact Information: Email address; phone number; residential or mailing address; billing address.
• Employment and Professional Information: Job title; company name; company registration number; education background.
• Financial and Payment Information: Bank account details; proof of funds; credit information; account authentication details; transaction history; payment method details.
• Device and Technical Information: IP address; device information (e.g., device ID, operating system, browser type); log-in data and session activity; location, time zone and geolocation data (where permitted).
• Regulatory and Compliance Information: Background check information (e.g., sanctions screening, PEP status); responses to KYC/AML questionnaires; documentation submitted for verification.
• Correspondence and Communication Information: Information provided in email correspondence, recorded calls, chat logs, or face-to-face meetings (including online meeting links and/or social messaging platform links and usernames); client support interactions; notes or records from onboarding interviews or compliance meetings; feedback or survey responses.
• Marketing and Preferences Information: Your preferences in receiving marketing communications; data on how you interact with our communications and website content.

Collection Methods

We collect Personal Information through a range of lawful and reasonable methods to support the provision of the JEM Services, comply with applicable legal and regulatory requirements, and enhance your experience when interacting with us. These methods include information you provide directly, information we collect automatically, and information obtained from third parties, your employer, or publicly available sources.

• Direct Collection: Personal Information is collected directly from you, for example when you register an account, complete onboarding forms, or communicate with us by email.
• From Your Employer: Where the JEM Services are provided to you as an employee, we may receive Personal Information about you from your employer, where such collection is necessary for the provision of the JEM Services and is carried out in accordance with applicable Data Protection Laws.
• Third Parties: We may receive Personal Information from third parties acting on our behalf or providing services to us, such as identity verification providers, sanctions screening services, and other compliance partners.
• Publicly Available Sources: Where permitted by law, we collect information from publicly available resources, such as public records and information about you that is openly available on the internet.
• Cookies and Online Tracking: We use cookies and similar tracking technologies on our Website and JEM Platform to enhance your user experience, analyse traffic, and support security functions. These technologies may collect technical and usage data, including your IP address, browser type, session duration, and interactions with the JEM Services. Where required by law, we obtain your consent before placing non-essential cookies on your device. You may manage your cookie preferences at any time through our cookie settings interface.

How We Handle and Use Your Personal Information

We will only process Personal Information that is relevant, adequate, and not excessive for the purposes for which it is collected, as required under the Data Protection Laws. The specific purposes for which we collect and use your Personal Information will be clear from the context in which it is requested and include the following:

• To Verify Your Identity: Confirm your identity, complete onboarding procedures, and meet authentication requirements.
• To Provide, Manage, and Improve Our Services: Set up and maintain your user account, provide secure access to the JEM Platform and Website, deliver features and functionality, and improve performance and usability (legitimate interests and/or contract performance).
• To Comply with Legal and Regulatory Obligations: Including AML, CTF, KYC, tax, and FICA requirements.
• To Facilitate Transactions and Process Billing: Execute instructions, process payments, collect fees, and provide services such as payroll administration, employee benefits facilitation, and other employment-related or HR-linked JEM Services.
• To Communicate With You: Respond to inquiries, send important updates about the JEM Services or our policies, and provide support.
• For Internal Administrative Purposes: Audits, record-keeping, troubleshooting, systems maintenance, and risk management (legitimate interests and in compliance with the Data Protection Laws).
• For Marketing and Promotions (with Consent): Send information about updates, promotions, and new or enhanced JEM Services where permitted. You may withdraw consent or update preferences at any time.
• To Detect and Prevent Fraud and Security Threats: Monitor for suspicious activity, enforce terms of service, prevent fraud, and maintain security and integrity of systems.
• For Legal Claims and Dispute Resolution: Establish, exercise, or defend legal claims, or protect our rights, property, and interests.

We do not retain your Personal Information for longer than is necessary for the purposes for which it was collected or processed, unless a longer retention period is required or permitted by law. We undertake periodic reviews of the Personal Information we hold and ensure that any data no longer required is securely destroyed or deleted. Certain Personal Information may be retained for prescribed periods to comply with applicable laws and regulations, including statutory record-keeping requirements under tax, company, and employment laws, audit obligations, and other regulatory requirements.

Data Sharing with Third Parties

We do not sell or rent your Personal Information to third parties. We may, however, share your Personal Information with carefully selected third parties where such sharing is necessary, lawful, and proportionate to the purpose for which the data was collected, in accordance with the Data Protection Laws, the Terms and Conditions, and the Service Level Agreement. All third parties with whom we share Personal Information are bound by confidentiality and data protection obligations that meet the requirements of the Data Protection Laws.

• Regulatory and Legal Obligations: Regulatory authorities, law enforcement, the Financial Intelligence Centre, tax authorities, courts, or other government bodies when required by law, regulation, court order, or legal process.
• Service Providers: Trusted third parties and JEM Partner Services that support our operations and deliver the JEM Services, including:
  • Identity verification and KYC/AML compliance platforms;
  • Cloud hosting and data storage providers;
  • Payment processors, banking partners, and settlement networks;
  • Security and fraud prevention services;
  • IT and technical support vendors;
  • Email, communication, and analytics platforms.
  These parties process Personal Information on our behalf under strict contractual obligations ensuring compliance with the Data Protection Laws.
• Internal Administrative and Business Purposes: Sharing within our corporate group, including Affiliates and subsidiaries, where necessary for internal administration, compliance, or delivery of joint services.
• Business Transfers: In the event of a merger, acquisition, restructuring, or sale of all or part of our business or assets, subject to continued confidentiality obligations.
• With Your Consent: Where required by law, or where sharing falls outside the purposes described in this Privacy Policy.

Links to other Websites: Our Website and the JEM Platform may contain links to social media sites (e.g., Facebook, LinkedIn, Instagram) and other third-party websites. These sites have their own privacy policies, and we are not responsible for their practices. If you use social media integration features on our Website or the JEM Platform, certain information may be shared with the relevant platform in accordance with their terms.

Data Transfer, Storage and Protection

We take the security and privacy of your Personal Information seriously. In compliance with the Data Protection Laws, our Terms and Conditions, and the Service Level Agreement we implement appropriate technical and organisational measures to ensure the confidentiality, integrity, and availability of your data throughout its lifecycle.

• Cross-Border Data Transfers: Your Personal Information may be transferred to, stored, and processed in countries outside of the Republic of South Africa or the jurisdiction in which you live. Where we transfer your Personal Information to a third party in a foreign country, we will do so strictly in accordance with the Data Protection Laws and, where applicable, on the basis that such transfer is necessary for the conclusion or performance of a contract in the interest of the data subject (Section 71(1)(d) of POPIA). In all other cases, we will only transfer your Personal Information if the foreign recipient is subject to a law, binding corporate rules, or a binding agreement that provides a level of protection substantially similar to the Data Protection Laws, or if otherwise permitted under the Data Protection Laws.
• Security Measures: Technical, administrative, and physical measures reasonably designed to protect Personal Information from unauthorised processing, including unauthorised access, disclosure, alteration, or destruction. These include encryption of data in transit and at rest, multi-factor authentication and access controls, secure software development practices, regular system monitoring and vulnerability assessments, and ongoing staff training on data privacy and cybersecurity.
• Internal Access Controls: Access to Personal Information is strictly limited to authorised employees, contractors, and service providers who require such access to perform their job functions, subject to confidentiality obligations.
• Incident Response: We maintain an internal incident response plan. In the event of a security incident involving your Personal Information, we will notify you and any relevant regulatory authority in accordance with the Data Protection Laws. To report concerns or a suspected breach, email our Chief Information Officer.
• Data Minimisation and Retention: We only collect and retain Personal Information necessary for identified purposes and for as long as required to fulfil those purposes or meet legal, regulatory, or operational obligations. Once data is no longer needed, it is securely deleted or anonymised.

While we cannot ensure or warrant the absolute security of any Personal Information you provide to us, we will continue to maintain and improve these measures over time in line with legal and technological developments.

Your Data Protection Rights

As a Data Subject, you have specific rights under the Data Protection Laws regarding the collection, use, storage, and sharing of your Personal Information in connection with the JEM Services. You may contact us at any time to make a request regarding your Personal Information, and we will respond in accordance with the Data Protection Laws. Your rights include the following:

• Right to be Informed: To be notified that your Personal Information is being collected and the purpose for which it is collected.
• Right of Access: To request confirmation of whether JEM holds your Personal Information and to obtain a record or description of that information.
• Right to Request Correction, Deletion, or Destruction: To request that JEM correct, delete, or destroy Personal Information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
• Right to Object to Processing: To object, on reasonable grounds, to the Processing of your Personal Information, including for purposes of direct marketing.
• Right to Withdraw Consent: To withdraw your consent to the Processing of your Personal Information at any time, without affecting the lawfulness of Processing prior to withdrawal.
• Right to Lodge a Complaint: To lodge a complaint with the Information Regulator of South Africa if you believe JEM has not complied with the Data Protection Laws in relation to your Personal Information.

We only process your Personal Information in compliance with this Privacy Policy and in accordance with the Data Protection Laws.

Revisions to this Policy

JEM reserves the right to revise, update, or amend this Privacy Policy at any time to reflect changes in our practices, legal obligations, or the functionality of the JEM Services. Any revisions will take effect upon publication of the updated Privacy Policy on our Website, unless otherwise required by the Data Protection Laws.

Where required by the Data Protection Laws, or where the changes are material in nature, we will notify you in advance through appropriate means, which may include email, a prominent notice on our Website or platform, or other direct communication.

We encourage you to review this Privacy Policy periodically to remain informed about how we Process and protect your Personal Information. Your continued use of the JEM Services after any changes to this Privacy Policy will constitute your acknowledgment and acceptance of the revised terms.

Contacting Us

In terms of the Data Protection Laws, JEM has designated an Information Officer who is responsible for ensuring compliance with the Data Protection Laws and for overseeing the protection of Personal Information.

All enquiries relating to the Processing of Personal Information and this Privacy Policy can be addressed to our Information Officer via email on info@jemhr.com.

When contacting our Information Officer, please clearly state that your enquiry relates to JEM and refrain from including any Special Personal Information in your correspondence unless specifically requested and sent through secure channels.