1. INTRODUCTION

LekkerClap ("we," "our," "us," or "Company") is committed to protecting your privacy and ensuring you have a positive experience on our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our mobile application and website (collectively, the "Platform"), including features that allow you to send distress alerts and connect with emergency services and nearby LekkerClap users.

This Privacy Policy applies to all users globally and complies with applicable data protection laws, including the Protection of Personal Information Act (POPIA) [South Africa], the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), the Children's Online Privacy Protection Act (COPPA), the Zimbabwe Cyber and Data Protection Act [Chapter 12:07], and other applicable privacy regulations in jurisdictions where our Platform operates or where our users are located.

Please read this Privacy Policy carefully. By accessing and using LekkerClap, you acknowledge that you have read, understood, and agree to be bound by all the provisions of this Privacy Policy.

2. DEFINITIONS

For purposes of this Privacy Policy:

  • "Personal Data" or "Personal Information" means any information relating to an identified or identifiable natural person, including but not limited to: names, email addresses, phone numbers, physical addresses, precise and approximate location data, IP addresses, device identifiers, biometric data collected during identity verification, contact information from your device, and any other information that can be used to identify you directly or indirectly.
  • "Processing" means any operation performed on personal data, including collection, use, storage, transmission, combination, alteration, deletion, or disclosure.
  • "Data Subject" means any individual to whose personal data we have access through the Platform.
  • "Data Controller" means LekkerClap, the entity that determines the purposes and means of processing personal data.
  • "Data Processor" means any entity processing personal data on behalf of LekkerClap, including third-party service providers such as Didit (identity verification provider).
  • "Emergency Services" means authorized public emergency response entities, including police, fire, medical, and other first responders designated to receive distress alerts.
  • "Distress Alert" means the urgent notification transmitted through the Platform when a user activates the emergency feature to request immediate assistance.

3. INFORMATION WE COLLECT

3.1 Information You Provide Directly

Account Registration Information: - Full name - Email address - Phone number - Date of birth (to verify age eligibility) - Password and security questions - Emergency contact information - Profile information (optional)

Identity Verification Information (via Didit): When you register as a user aged 13 and above on LekkerClap, we use Didit, a third-party identity verification provider, to verify your identity and age. During this verification process, we collect: - Government-issued identification data (passport, national ID, driver's license) - Facial recognition biometric data (photograph/video for liveness detection) - Name, date of birth, and identification number from government documents - Verification metadata and results

Distress Alert Information: - Your precise GPS location (latitude and longitude) at the time of alert activation - Approximate location based on cell tower or WiFi data - Timestamp of the alert - Nature or category of emergency (if provided) - Voice, video, or message content in the distress alert - Your real-time location updates during active alert response - Device type, operating system, and connectivity information

Communication Information: - Messages you send to nearby LekkerClap users responding to your alert - Voice or video call recordings (if you enable this feature) - User-to-user chat history with responders - Feedback and ratings provided after alert resolution

Device and Technical Information: - Device model, manufacturer, and operating system version - Device identifier (IMEI, IDFA, or Android Advertising ID) - IP address and ISP information - Mobile network information (carrier, signal strength) - App version and installation date - Crash reports and performance diagnostics - WiFi network names and MAC addresses

Contacts Information: - With your permission, we access and store your device's contact list to help identify trusted emergency contacts

Usage Information: - Features accessed and frequency of use - Time spent in the application - Content you view or interact with - Search queries within the platform - Settings and preferences you configure - Platform pages or features you visit - Referral information (how you discovered us)

3.2 Information Collected Automatically

Location Data: - Precise location (GPS coordinates) when the app is active and you permit location access - Approximate location derived from IP address or cellular data - Location history relative to your activities is NOT continuously tracked – precise location is temporary and alert-scoped only

Cookies and Similar Technologies: - Session identifiers and cookies for authentication - Analytics cookies to track user engagement and app performance - Functional cookies to remember your preferences - Marketing/advertising cookies (only with your explicit consent) - Web beacons and pixel tags for tracking page interactions

Biometric Data: - Fingerprint data (if you enable biometric authentication) - Facial recognition data (collected during identity verification with Didit)

Health and Safety Data: - Emergency status indicators and alert history - Response times and resolution metrics - Injury or incident descriptions provided in alerts - Medical information you voluntarily share in distress alerts

3.3 Information from Third Parties

From Didit (Identity Verification Provider): - Age verification results and confirmed identity status - Verification success/failure indicators - Compliance attestation regarding identity confirmation

From Emergency Services: - Confirmation of alert receipt and dispatch information - Response and resolution status - Incident reports or follow-up information they choose to share

From Other Users: - Information reported about your account (abuse reports, complaints) - Ratings and feedback provided after interactions

From Service Providers: - Payment processors provide transaction verification data - Analytics providers furnish aggregated usage statistics - Cloud hosting providers share security incident reports

From Your Device: - Permissions granted for location, contacts, camera, microphone - Mobile operating system data about app performance and crashes

4. LAWFUL BASIS FOR PROCESSING (POPIA-ALIGNED)

LekkerClap processes your personal data based on the following lawful bases under POPIA and other applicable laws:

4.1 POPIA Lawful Bases

POPIA does not require consent for everything. We process personal information based on one or more of the following lawful grounds:

A. Performance of a Contract (PRIMARY) Applies to: - Account creation and user registration - Location sharing during active alerts - Alert delivery and emergency response coordination - Communication with responders

Why this works: You download the app to receive the emergency alert service. Processing your location data during alerts is essential to deliver this service you have contracted for. We do not need your consent for this processing – it is mandatory for service delivery.

Your Rights: - This processing cannot be objected to as it is necessary for contract performance - We cannot refuse service if you object to contract-based processing - However, you retain the right to delete your account and stop using the service

B. Legitimate Interest (SECONDARY) Applies to: - Community awareness and proximity matching of responders - Anonymised safety analytics to improve the service - Abuse prevention and fraud detection - Platform security and integrity - Service improvement and feature development

POPIA Requirement: Processing must be reasonable, necessary, and balanced. Your privacy interests cannot be overridden by our legitimate interests.

Your Privacy Zone Architecture Supports This: - We mask or reduce location precision inside your privacy zones - Precise data is temporary and alert-scoped only - We do not continuously track location outside alerts - We do not sell location data

Balancing Test: - Our interest in safety analytics serves the public interest (better emergency response) - Your interest in privacy is protected by data minimization and anonymisation - The benefit to community safety outweighs the limited impact on your privacy

Your Rights: - You have the right to object to this processing - We must then cease processing unless we can demonstrate compelling legitimate interests - Objection does not affect contract-based processing (alerts will still work)

C. Consent (LIMITED, EXPLICIT) Use consent only for: - Optional notification settings and frequency - Analytics and performance data collection (beyond what is necessary for service) - Marketing communications - Background location access (if ever enabled) - Any future data use beyond what is described in this policy

Consent Standards (POPIA requirement): - Freely given (not forced or pre-ticked) - Specific (clear description of what is consented to) - Informed (you understand what you are consenting to) - Revocable (you can withdraw consent at any time)

We will NOT: - Rely on consent alone for essential service delivery - Bundle consent with other terms - Make consent mandatory for using the platform - Make withdrawal of consent difficult

Your Rights: - You can withdraw consent at any time through account settings - Withdrawal is effective immediately for future processing - Past processing under consent remains valid

D. Protection of Legitimate Interests (Life or Physical Safety) Applies to: - Emergency alerts where your life or someone else's may be at risk - Medical or safety incidents requiring immediate response - Situations where processing is necessary to protect vital interests

POPIA Legal Basis: POPIA explicitly permits processing to protect the vital interests (life or physical safety) of a data subject or another person. This is a separate lawful basis from consent or contract.

Example: If you activate a distress alert during what appears to be a violent crime, we can share your precise location with emergency services without needing your consent – your safety overrides consent requirements.

Your Rights: - You cannot object to this processing when vital interests are at stake - However, we apply this basis narrowly – only when there is genuine risk to life or safety - After the emergency passes, normal privacy protections resume

5. HOW WE USE YOUR INFORMATION

5.1 Core Service Delivery

  • Emergency Alert Transmission: To send your distress alert to nearby LekkerClap users and authorize emergency services
  • Location Routing: To identify and notify users within geographic proximity to your emergency location
  • User Verification: To confirm your identity and age eligibility through Didit verification, ensuring only appropriate users access the platform
  • Emergency Coordination: To coordinate response efforts between platform users and official emergency services
  • Alert Management: To track alert status, response times, and resolution outcomes
  • User Communication: To facilitate messages and communications between you and responders

5.2 Account Management and Security

  • Account Maintenance: Creating and maintaining your user account, processing registration requests
  • Authentication: Verifying your identity through login credentials, biometric authentication, and identity verification
  • Security and Fraud Prevention: Detecting unauthorized access, preventing fraud, and protecting account integrity
  • Compliance Verification: Confirming ongoing age eligibility and parental consent status for minor users
  • Password Recovery: Enabling account recovery and security credential reset

5.3 Safety and Emergency Response

  • Safety Monitoring: Analyzing distress alerts for patterns indicating genuine emergencies versus misuse
  • Emergency Dispatch Coordination: Sharing location and emergency details with authorized emergency services
  • Response Tracking: Monitoring response times, user safety outcomes, and incident resolution
  • Emergency Service Integration: Transmitting alerts to official emergency services systems
  • Incident Investigation: Investigating reports of platform misuse, false alerts, or emergency service abuse

5.4 Communications

  • Transactional Emails/SMS: Sending account confirmations, password resets, alert acknowledgments, and service notifications
  • Alert Notifications: Pushing urgent notifications about distress alerts and emergency responses
  • Safety Alerts: Notifying you of suspicious account activity or security concerns
  • Service Updates: Informing you of platform changes, maintenance, and feature updates
  • Parental Communications: Sending required privacy notices and consent requests to parents/guardians of minor users

5.5 Analytics and Service Improvement

  • Usage Analytics: Analyzing how users interact with the platform to improve features and user experience
  • Performance Monitoring: Tracking app stability, crash rates, and technical performance
  • Aggregate Reporting: Creating anonymized, aggregate statistics about emergency response patterns
  • A/B Testing: Testing platform modifications to optimize emergency alert delivery and response coordination
  • Trend Analysis: Understanding geographic and temporal patterns in emergency alert usage

5.6 Legal and Compliance

  • Regulatory Compliance: Fulfilling obligations under POPIA, GDPR, CCPA/CPRA, COPPA, Zimbabwe data protection laws, and other applicable regulations
  • Law Enforcement: Responding to warrants, subpoenas, court orders, and lawful government requests
  • Dispute Resolution: Addressing complaints, resolving disputes, and defending legal claims
  • Data Retention Compliance: Maintaining records necessary to demonstrate regulatory compliance
  • Audit Preparation: Maintaining documentation for data protection audits and regulatory investigations

5.7 Legitimate Business Interests

  • Platform Development: Building new features, testing functionality, and improving platform architecture
  • Marketing and Business Development: Understanding user demographics to improve targeting of relevant services
  • Data Quality: Ensuring accuracy of stored personal data and removing duplicate or outdated records
  • Customer Support: Providing responsive support by understanding user history and interaction patterns
  • Risk Assessment: Evaluating data protection risks and implementing appropriate safeguards

5.8 Prohibited Uses

LekkerClap explicitly does NOT use your personal data for: - Selling personal information for commercial purposes (except as required by law or with explicit opt-in consent) - Profiling for discriminatory purposes - Automated decision-making that produces legal or similarly significant effects (except for identity verification) - Tracking behavioral patterns for non-emergency purposes - Third-party advertising without separate explicit consent - Any purpose incompatible with the emergency services nature of the platform

6. DATA MINIMIZATION AND PURPOSE LIMITATION

6.1 Principle of Minimization

LekkerClap adheres to the data minimization principle and collects only the personal data that is: - Relevant and necessary for the stated purposes - Proportionate to the service being provided - Not excessive relative to the emergency response function

We do not collect: - Political opinions or religious beliefs - Trade union membership - Genetic data (except biometric data necessary for identity verification and authentication) - Sexual orientation or gender identity (except where voluntarily provided for emergency contact purposes) - Criminal convictions or offense data (except as required by law) - Financial account information (except payment method for service fees)

6.2 Purpose Limitation

Your personal data will not be used for purposes other than those stated in this Privacy Policy without obtaining your prior written consent. In particular:

  • Location data is collected solely for emergency alert routing and will not be used for:
    • Behavioral tracking or profiling
    • Commercial advertising or marketing (except as needed to notify you of platform features)
    • Sale to location brokers or data aggregators
    • Any non-emergency purpose unless you explicitly consent
  • Identity verification data collected via Didit is retained only for:
    • Confirming age eligibility
    • Preventing account fraud and duplicate accounts
    • Satisfying COPPA and age-of-consent legal requirements
    • Purposes explicitly permitted by Didit's separate privacy policy (which we encourage you to review)
  • Biometric data (facial recognition) is used only for:
    • Identity verification during registration (via Didit)
    • Biometric authentication for account login (if you enable this feature)
    • Liveness detection to prevent spoofing and deepfakes
    • Will not be used for surveillance, law enforcement matching, or third-party disclosure without explicit consent

7. SHARING AND DISCLOSURE OF INFORMATION

7.1 Essential Service Providers and Processors

LekkerClap shares personal data with the following categories of service providers acting as Data Processors:

Identity Verification: - Didit – Third-party identity verification and age confirmation provider - Processes: Government ID data, biometric facial recognition data, name, date of birth - Purpose: Age verification, identity confirmation, fraud prevention - Legal basis: Contract (service provision) and legitimate interest (security) - Didit's Privacy Policy: [Link to Didit Privacy Policy] - Data retention: As specified in Didit's terms (typically 30-90 days post-verification)

Emergency Services Integration: - Emergency Dispatch Centers and Emergency Services – Official emergency response agencies - Processes: Your precise location, alert content, phone number, emergency details - Purpose: Emergency dispatch and response coordination - Legal basis: Vital interests (life-saving emergency response) and contract performance - Data retention: Per emergency services record retention requirements (typically 18-36 months) - Note: These transfers are mandated by law and occur without requiring additional consent

Cloud Infrastructure and Data Hosting: - Cloud Service Providers (e.g., AWS, Google Cloud, Azure) - Processes: All platform data including account information, location history, alert records - Purpose: Secure data storage, backup, platform infrastructure - Legal basis: Contract and legitimate interest (service delivery and security) - Geographic location: Data may be stored in multiple jurisdictions - Sub-processor notification: Provided as required

Analytics and Monitoring: - Analytics Providers (e.g., Firebase, Amplitude, Mixpanel) - Processes: Aggregated usage data, crash logs, performance metrics (personal identifiers are removed) - Purpose: Understanding platform performance and user engagement - Legal basis: Legitimate interest (service improvement) - Data retention: Typically 12 months

Payment Processing: - Payment Service Providers (e.g., Stripe, PayPal) - Processes: Payment method details, transaction amounts, billing information - Purpose: Processing subscription fees and in-app purchases - Legal basis: Contract (service provision) - Note: Payment data is not stored by LekkerClap; providers maintain PCI-DSS compliance

Communication Services: - SMS/Email Service Providers (e.g., Twilio, SendGrid) - Processes: Phone numbers, email addresses, message content - Purpose: Delivering transactional notifications and alerts - Legal basis: Contract and legitimate interest (service delivery)

Customer Support: - Help Desk and Support Providers (e.g., Zendesk, Intercom) - Processes: Support tickets, communication history, user account details - Purpose: Providing technical support and resolving issues - Legal basis: Contract (service provision) and legitimate interest (customer service)

7.2 Required Legal Disclosures

We may disclose personal information without your consent when legally required to do so:

  • Law Enforcement and Government Requests: We will disclose information in response to lawful warrants, subpoenas, court orders, or government agency requests, as required by law
  • Legal Claims and Proceedings: We may disclose information when necessary to defend against legal claims, enforce our Terms of Service, or protect our rights and property
  • Public Safety: We may disclose information when we believe in good faith that disclosure is necessary to prevent harm, fraud, or illegal activity
  • Emergency Response: Location and alert information is automatically shared with emergency services without delay when a distress alert is activated

When legally permitted, we will provide notice to the affected data subject of any legal disclosure request, unless prohibited by law.

7.3 Mandatory Disclosures

Emergency Services Sharing: When you activate a distress alert, the following information is automatically transmitted to nearby LekkerClap users and authorized emergency services: - Your precise GPS location - Approximate location - Name and contact information - Phone number - Alert content and description - Device information - Alert timestamp

This sharing occurs without requiring additional consent because it is the fundamental function of the Platform and is based on lawful bases: (1) performance of contract, (2) vital interests, and (3) legitimate interest in emergency response coordination.

7.4 Conditional Disclosures (Requiring Your Consent)

We will not share your personal data with the following parties without your explicit prior consent:

  • Third-party marketing partners (for promotional offers or advertising)
  • Data brokers or aggregators (for commercial data resale)
  • Credit bureaus (for creditworthiness assessment)
  • Non-emergency government agencies (beyond law enforcement emergency requests)
  • Corporate partners (for co-marketing initiatives)
  • Parent company or affiliates (for purposes beyond service provision)

7.5 Business Transfers

If LekkerClap undergoes a merger, acquisition, bankruptcy, dissolution, reorganization, or similar transaction, your personal data may be transferred as part of that transaction. We will provide notice of such change and any choices you have regarding your personal data if required by applicable law.

7.6 Aggregated and De-identified Data

LekkerClap may use and disclose aggregated, de-identified, or anonymized data without restriction. This includes: - Statistical reports on emergency response patterns - Geographic heat maps of emergency alert concentrations - Temporal trends in emergency alert usage - Aggregate demographic information (without identifying individuals)

Such data cannot identify you and is not considered personal data.

7.7 International Data Transfers

LekkerClap operates globally and may transfer your personal data across international borders. When transferring personal data outside your country of residence:

For POPIA Users (South Africa): - Data transfers are subject to POPIA Chapter 2 protections - We implement appropriate safeguards (contractual guarantees, adequacy determinations) - You have the right to lodge a complaint with the POPIA regulator if transfers are non-compliant

For GDPR/EEA Users: We implement appropriate safeguards as required by GDPR Chapter V, including: - Adequacy Decisions: Transfers to countries with EU adequacy decisions (UK, Canada, Japan, etc.) - Standard Contractual Clauses (SCCs): Transfers using Commission-approved SCCs including data transfer impact assessments - Data Transfer Mechanisms: Implementation of binding corporate rules or contractual safeguards

Data transferred to the United States may be subject to access by U.S. law enforcement under laws like the Foreign Intelligence Surveillance Act (FISA). We assess these risks and implement additional safeguards where feasible.

For CCPA/CPRA Users: We ensure that service providers receiving California personal information are subject to contractual obligations to comply with CCPA/CPRA and maintain equivalent protections.

For Zimbabwe Users: We provide prior written notice to the Zimbabwe Data Protection Authority (POTRAZ) before transferring your personal data outside Zimbabwe, as required by the Cyber and Data Protection Act.

8. DATA RETENTION AND DELETION

8.1 Data Retention Schedule

LekkerClap retains personal data only for as long as necessary to provide the service, comply with legal obligations, resolve disputes, and enforce agreements. Precise location data associated with emergency alerts is retained for a limited period and then securely deleted.

Data CategoryRetention PeriodLegal Basis
Active Account InformationDuration of account activity + 12 monthsContract and legitimate interest
Coarse Presence Data (non-alert)Rolling 30–90 daysAnalytics and service improvement
Precise Alert Location (during emergency)30–90 days maxIncident investigation and emergency coordination
Alert Metadata (non-identifiable)12–24 monthsAnalytics and trend analysis
Identity Verification Data (Didit)90 days post-verificationGDPR, COPPA, fraud prevention
Biometric Data (facial recognition)24 hours post-verification (unless stored with identity provider)Data minimization, GDPR
Communication Records24 monthsDispute resolution, abuse investigation
Payment Information12 months or as required by lawFinancial record retention requirements
Email/SMS Communications12 monthsLegal compliance, support history
Analytics and Logs6–12 monthsService improvement, security
Backup and Archive Data90 days after deletionDisaster recovery and business continuity
Parental Consent RecordsUntil child reaches age of majorityGDPR, COPPA, legal compliance
Support / Rights Requests12 monthsRecord-keeping and audit trail
Security / Abuse Logs6–12 monthsIncident response and investigation

Key Principle: Precise location data is temporary and incident-scoped. We do not maintain rolling location histories outside of active alerts.

8.2 Your Right to Deletion (Right to Be Forgotten)

Subject to legal exceptions outlined below, you have the right to request deletion of your personal data. To exercise this right:

  1. Submit a Deletion Request via your account settings, email to privacy@lekkeclap.com, or certified mail to our address listed in Section 16
  2. Verification: We will verify your identity before processing deletion requests
  3. Processing Timeline:
    • POPIA (South Africa users): Within a reasonable timeframe (typically 30 days)
    • GDPR (EU/EEA users): We will respond within 30 days
    • CCPA/CPRA (California users): We will respond within 45 days (extendable to 90 days)
    • Zimbabwe users: We will respond within a reasonable timeframe consistent with data subject rights

8.3 Exceptions to Deletion

We may retain personal data even after deletion request if retention is: - Legally required by law, regulation, or court order - Necessary for law enforcement cooperation in response to lawful governmental request - Required for emergency services to maintain incident records - Necessary to enforce our agreements or protect legal rights - Necessary to prevent fraud or security incidents - Required for backup and archive purposes (typically 90 days maximum) - Necessary for legitimate interests that override your privacy interest

For minors, we retain parental consent records until the child reaches the age of majority in their jurisdiction, or as required by COPPA.

8.4 Data Portability

Subject to applicable laws, you have the right to: - Obtain a copy of your personal data in a structured, commonly-used, machine-readable format - Transmit that data to another data controller - Request we transmit data directly to another controller

To request data portability: 1. Submit a request to privacy@lekkeclap.com with "DATA PORTABILITY REQUEST" in the subject 2. Specify the format in which you wish to receive the data 3. We will comply within 30-45 days as required by applicable law

9. CHILDREN AND MINORS

9.1 Minimum Age Requirement

LekkerClap is intended for users aged 13 years and above only. We recognize that different jurisdictions have varying age-of-consent thresholds under data protection laws:

  • COPPA (United States): Children under 13 require verifiable parental consent
  • GDPR (European Union): Children under the country-specific age (13-16, varying by member state) require parental consent
  • CCPA/CPRA (California): Consumers under 16 have heightened privacy protections; under 13 require opt-in from parent/guardian
  • POPIA (South Africa): Individuals under 16 require parental consent for data processing
  • Zimbabwe: Individuals under 16 require parental consent for data processing

9.2 For Users Aged 13-15 Years (Parental Consent Required)

Verification of Age: Upon registration, you will be asked to provide your date of birth. If our system identifies you as under the age of consent in your jurisdiction (typically 13-16 depending on location), the following will occur:

Mandatory Parental Consent Process: 1. We will immediately pause account activation 2. We will send a direct notice to a parent or legal guardian's email address (as you provide) 3. The parent must actively confirm consent through: - Email verification link + explicit acceptance form, OR - Video conference with our trained staff member (for higher-risk data processing), OR - Knowledge-based verification questions about the parent's identity

What Parents/Guardians Must Know:

Parents and guardians have the right to: - Review all personal data collected about the child - Request correction or deletion of the child's data - Withdraw parental consent at any time (which will result in account suspension) - Prevent future collection of data from the child - Know that emergency alerts involving the child may be shared with emergency services

Data Processed from Minors: For users aged 13-15, we minimize data collection to: - Basic account information (name, email, phone, date of birth) - Identity verification data (via Didit - for age confirmation only) - Location data (only when distress alert is active) - Emergency alert content and response data - Communications with responders (only emergency-related)

Prohibited for Minors: - Marketing cookies and behavioral tracking (beyond service-essential analytics) - Third-party data sharing for advertising or profiling - Sale of personal information - Long-term location history outside active alerts

Parental Consent Revocation: Parents may withdraw consent at any time by contacting privacy@lekkeclap.com with written request. Upon withdrawal: - The child's account will be deactivated within 24 hours - All non-essential data will be deleted within 30 days - Emergency alert records may be retained to fulfill legal obligations

9.3 For Users Aged 16+ (Without Parental Consent in Most Jurisdictions)

Users who reach the age of consent in their jurisdiction (typically 16 in EU, 13+ in some states) may provide their own consent without parental involvement. However: - Users aged 16-18 still receive enhanced privacy protections - We will not sell their personal information - We will not collect biometric data beyond identity verification - Marketing communications require active opt-in

9.4 COPPA Compliance (United States, Children Under 13)

For users under 13 in the United States:

Parental Notice and Consent: We will obtain verifiable parental consent using one of the following FTC-approved methods: - Confirmatory email sent to parent's email with active acknowledgment link - Credit card or payment mechanism providing parental account holder notification - Video conversation with trained staff who verbally confirms parental consent - Government-issued ID verification of parent identity

Parental Rights Under COPPA: - Right to review data collected about the child - Right to request data deletion - Right to withdraw consent and deactivate child's account - Right to opt-out of future collection

Safe Harbor Notice: We may ask to collect certain data that would normally require parental consent but is exempt under COPPA, such as: - Email address to send password reset (one-time use exceptions) - Name and phone for emergency contact purposes only - Location data for emergency alert purposes only

9.5 Contact Information for Parental Inquiries

Parents or guardians who have concerns about a child's account or data: - Email: privacy@lekkeclap.com with "PARENTAL INQUIRY" in subject - Phone: [Contact number] - Mail: [Physical address - see Section 16] - Online request form: [Link on platform]

We will respond to parental inquiries within 10 business days.

10. YOUR PRIVACY RIGHTS AND HOW TO EXERCISE THEM

10.1 POPIA Rights (South Africa)

If you are located in South Africa, POPIA grants you the following rights:

1. Right of Access - Right: You have the right to request confirmation of whether we process your personal data and request a copy of that data - How to Exercise: Submit a "Data Access Request" to privacy@lekkeclap.com - Timeline: We will respond within a reasonable timeframe (typically 30 days) - Cost: Reasonable fee may apply for compilation of data (not for first request) - Exception: We may refuse if the request is vexatious, frivolous, or impairs others' rights

2. Right to Correct/Update - Right: You can request correction of inaccurate personal data - How to Exercise: Submit a "Correction Request" via your account settings or email - Timeline: We will make corrections within a reasonable timeframe - Exception: We will not correct data if retention is required by law or for legal proceedings

3. Right to Erasure / Delete - Right: You can request deletion of your personal data - Grounds for Erasure: The data is no longer necessary for its original purpose; you withdraw consent; you object to processing; the data was unlawfully processed; erasure is required by law - How to Exercise: Submit an "Erasure Request" via privacy@lekkeclap.com with "RIGHT TO ERASURE" in subject - Timeline: We will respond within a reasonable timeframe - Exceptions: We may retain data if necessary for legal obligations, law enforcement cooperation, public health, or establishment of legal claims

4. Right to Restrict Processing - Right: You can request that we limit how we process your personal data - How to Exercise: Submit a "Restriction Request" to privacy@lekkeclap.com - Timeline: We will acknowledge within a reasonable timeframe and apply restrictions while investigating

5. Right to Object - Right: You can object to processing of your personal data based on legitimate interest - How to Exercise: Submit an "Objection" to privacy@lekkeclap.com - Timeline: We must stop processing within a reasonable timeframe unless we demonstrate compelling legitimate interests - Exception: You cannot object to processing necessary for contract performance or emergency response

6. Right to Withdraw Consent - Right: If we process your data based on consent, you can withdraw that consent at any time - How to Exercise: Adjust settings in your account or email privacy@lekkeclap.com - Effect: Withdrawal does not affect processing before withdrawal; future processing will stop - Exception: Withdrawal does not affect processing necessary for emergency response

10.2 GDPR Rights (for EU/EEA Users)

If you are located in the European Union or European Economic Area, the GDPR grants you the following rights:

1. Right of Access (Article 15) - Right: You have the right to obtain confirmation of whether we process your personal data and request a copy of that data - How to Exercise: Submit a "Data Access Request" to privacy@lekkeclap.com - Timeline: We will respond within 30 calendar days (extendable by 60 days for complex requests) - Cost: Free of charge for up to two requests per year; additional requests may incur reasonable fees - Exception: We may refuse if the request is manifestly unfounded or excessive

2. Right to Rectification (Article 16) - Right: You can request correction of inaccurate personal data - How to Exercise: Submit a "Correction Request" via your account settings or email - Timeline: We will make corrections within 30 days - Exception: We will not correct data if retention is required by law or for legal proceedings

3. Right to Erasure / Right to Be Forgotten (Article 17) - Right: You can request deletion of your personal data under certain circumstances - Grounds for Erasure: The data is no longer necessary for its original purpose; you withdraw consent; you object to processing; the data was unlawfully processed; erasure is required by law - How to Exercise: Submit an "Erasure Request" via privacy@lekkeclap.com with "RIGHT TO ERASURE" in subject - Timeline: We will respond within 30 days - Exceptions: We may retain data if necessary for legal obligations, law enforcement cooperation, public health, or establishment of legal claims - Notification: We will inform third parties of your erasure request, unless impracticable

4. Right to Restrict Processing (Article 18) - Right: You can request that we limit how we process your personal data while we verify accuracy or assess your objection - How to Exercise: Submit a "Restriction Request" to privacy@lekkeclap.com - Timeline: We will acknowledge within 30 days and apply restrictions while investigating - Effect: Restricted data will not be processed except with your consent or for legal establishment, exercise, or defense of claims

5. Right to Data Portability (Article 20) - Right: You can request a copy of your personal data in a structured, commonly-used, machine-readable format and request transmission to another controller - How to Exercise: Submit a "Data Portability Request" to privacy@lekkeclap.com - Timeline: We will provide data within 30 days in formats such as CSV or JSON - Cost: Free of charge - Exception: We may refuse if processing is not automated or if data is not processed based on consent or contract

6. Right to Object (Article 21) - Right: You can object to processing of your personal data in certain circumstances - Grounds for Objection: Processing based on legitimate interests or public task; processing for direct marketing; processing for purposes of analytics or profiling - How to Exercise: Submit an "Objection" to privacy@lekkeclap.com specifying the processing you object to - Timeline: We must stop processing within 30 days unless we demonstrate compelling legitimate interests - Exception: We may continue processing if necessary to protect vital interests, establish legal claims, or fulfill legal obligations

7. Rights Related to Automated Decision-Making (Article 22) - Right: You have the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects - How It Applies: Our identity verification (Didit) is an automated decision, but you have the right to human review - How to Exercise: Contact privacy@lekkeclap.com to request human review of any automated verification decision - Exception: Automated decisions are permitted if necessary for contract performance or lawful processing with safeguards

8. Right to Withdraw Consent - Right: If we process your data based on consent, you can withdraw that consent at any time - How to Exercise: Adjust settings in your account or email privacy@lekkeclap.com - Effect: Withdrawal does not affect processing before withdrawal; future processing will stop - Exception: Withdrawal does not affect processing necessary for emergency response

10.3 CCPA/CPRA Rights (for California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following rights:

1. Right to Know/Access (CCPA Section 1798.100) - Right: You can request what personal information we have collected, the sources, purposes of collection, and categories of third parties with whom we share it - How to Exercise: Submit a "Verifiable Consumer Request" using email to privacy@lekkeclap.com. - Verification: We will verify your identity by matching information you provide against records we hold - Timeline: We will respond within 45 days (may extend 45 additional days with notice) - Format: We will provide information in a portable, readily useable format - Cost: Free of charge for two requests per calendar year

2. Right to Delete (CPRA Section 1798.105) - Right: You can request deletion of personal information we have collected - How to Exercise: Submit a "Deletion Request" with "REQUEST TO DELETE" in subject via email or online form - Timeline: We will respond within 45 days (may extend 45 additional days) - Exceptions: We may retain data if necessary for service delivery, security, legal obligations, or emergency response - Third-Party Notification: We will inform service providers to delete the data, unless deletion is not possible - Verification: We will verify your identity before processing deletion - Cost: Free of charge

3. Right to Correct (CPRA Section 1798.100(d)) - Right: You can request correction of inaccurate personal information - How to Exercise: Submit a "Correction Request" via privacy@lekkeclap.com - Timeline: We will respond within 45 days (may extend 45 additional days) - Verification: We will verify identity and assess reasonableness of request - Cost: Free of charge

4. Right to Opt-Out of Sale/Sharing (CCPA Sections 1798.120, CPRA Section 1798.120) - Right: You can opt-out of the sale or sharing of your personal information to third parties - How to Exercise: Use the "Do Not Sell or Share My Personal Information" link in your account settings or on our homepage - Current Status: LekkerClap does not sell personal information. Any future sale would require explicit notice and your opt-out mechanism. We do share limited data with emergency services as part of core service delivery. - Timeline: We will honor opt-out requests within 45 days - Cost: Free of charge

5. Right to Limit Use and Disclosure (CPRA Section 1798.121) - Right: You can limit how we use and disclose sensitive personal information (such as location data, biometric data) - How to Exercise: Submit a "Limitation Request" to privacy@lekkeclap.com specifying which categories of sensitive data you wish to limit - Timeline: We will respond within 45 days - Limitations: We will use sensitive data only for service provision, legal compliance, security, fraud prevention, and short-term analytics - Exception: We cannot limit location data sharing for emergency alert purposes, as this is core to service delivery

6. Right to Non-Discrimination (CCPA Section 1798.125, CPRA Section 1798.125) - Right: You will not face discrimination (including denial of service, different pricing, or lower quality) for exercising your privacy rights - How We Comply: We provide the same service quality and pricing to all users regardless of privacy choices - Exception: We may offer different service levels if different data collection enables different features (this is not discrimination)

7. Right to Automated Decision-Making (CPRA Section 1798.100) - Right: You have the right to understand and challenge automated decision-making that produces legal or similarly significant effects - How It Applies: Identity verification may use automated processing; you can request human review - How to Exercise: Contact privacy@lekkeclap.com to request explanation of automated decision or human review

8. Consumer Privacy Rights – Opt-Out Preference Signals - We honor the Global Privacy Control (GPC) signal to opt-out of sale/sharing and targeted advertising - We will treat GPC signal as consumer opt-out request

10.4 Zimbabwe Data Subject Rights

Under the Zimbabwe Cyber and Data Protection Act, you have the right to:

  • Right to Access: Obtain confirmation and copies of personal data we process about you
  • Right to Correction: Correct inaccurate or incomplete personal data
  • Right to Deletion: Request deletion of personal data (subject to legal exceptions)
  • Right to Restrict Processing: Request limitation of how we process your data
  • Right to Withdraw Consent: Withdraw consent for any processing based on consent
  • Right to Complain: Lodge a complaint with the Zimbabwe Data Protection Authority (POTRAZ)

How to Exercise: - Submit requests to privacy@lekkeclap.com - We will respond within a reasonable timeframe - You may contact POTRAZ if unsatisfied: [POTRAZ contact information]

10.5 COPPA Rights (for Parents/Guardians of US Children Under 13)

Parents and guardians have the following specific rights:

  • Right to Review: Request a review of all personal information we have collected about your child
  • Right to Delete: Request deletion of your child's personal information (subject to exceptions)
  • Right to Refuse/Withdraw Consent: Refuse or withdraw permission for future data collection about your child
  • Right to Notification: Receive clear notice of our information practices before we collect from your child

How to Exercise: - Email: privacy@lekkeclap.com with "COPPA PARENTAL REQUEST" in subject

We will verify parental identity and respond within 10 business days.

10.6 General Procedures for Exercising Rights

Submitting Requests: You can submit data subject requests through any of the following channels: 2. Email: privacy@lekkeclap.com (must include "DATA SUBJECT REQUEST" in subject) 5. Authorized Agent: We accept requests from authorized agents acting on your behalf if you provide power of attorney or written authorization

Identity Verification: - We will verify your identity by requiring information that matches our records - For sensitive requests, we may require additional verification such as government ID photocopy - We will not request information we do not already hold about you

Response Timelines: - POPIA (South Africa): Reasonable timeframe (typically 30 days) - GDPR (EU/EEA): 30 calendar days, extendable by 60 days for complex requests - CCPA/CPRA (California): 45 calendar days, extendable by 45 additional days - Zimbabwe: Reasonable timeframe (typically 30 days) - We will provide status updates if processing requires longer

Free Requests: - You are entitled to free responses to your requests (POPIA, GDPR, CCPA/CPRA) - We may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests after first request

Appeal/Complaint: - If unsatisfied with our response, you may: - Request supervisory authority review (contact your local Data Protection Authority) - Appeal any denial of your request in writing - Pursue legal remedies available under applicable law

11. DATA SECURITY

11.1 Security Measures

LekkerClap implements comprehensive technical and organizational security measures to protect personal data against unauthorized access, accidental loss, alteration, and disclosure, consistent with the "Privacy by Design" principle.

Technical Safeguards: - TLS Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher - Encryption at Rest: Personal data stored on servers is encrypted using AES-256 or equivalent - Secure Cloud Infrastructure: Data is stored with Firebase, GCP, or AWS with their enterprise security standards - Role-based Access Control: Access limited to founder and developer only, on need-to-know basis - No Continuous Location Tracking: Precise location is captured only during active alerts; no rolling history maintained - Separation of Incident Data: Alert data separated from user profile data to minimize exposure - Database Security: Firewalls and network segmentation protecting data - API Security: Authenticated endpoints with rate limiting

Organizational Safeguards: - Limited Access: Only essential personnel (founder + developer) have access to production data - No Shared Passwords: Unique credentials with complex requirements for all administrative access - 2FA on Admin Consoles: Multi-factor authentication protecting admin access - Incident Response Plan: Documented procedures for responding to data breaches (see Section 12) - Access Logging: Audit logs documenting who accessed what data and when - Employee Training: Annual privacy and security training for all staff - Data Minimization: Limiting access to only necessary personal data; purging outdated information - Secure Data Destruction: Secure deletion procedures for decommissioned systems

Privacy by Design: - Privacy impact assessments conducted before new systems or features are implemented - Privacy requirements integrated into system architecture and development processes - Default privacy settings configured to protect users (opt-in rather than opt-out) - Regular privacy reviews and audits

11.2 Limitations of Security

While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute security against: - Sophisticated cyber attacks or zero-day exploits - Insider threats or employee misconduct - Physical theft or natural disasters - Compromised third-party service providers - User negligence (weak passwords, lost devices, phishing attacks)

Your Responsibility: - Choose strong, unique passwords and change them regularly - Do not share your login credentials with others - Keep your device software updated - Use secure WiFi networks (not open public WiFi) when accessing the platform - Report suspicious activity immediately to security@lekkeclap.com

11.3 Data Protection Impact Assessments

LekkerClap conducts Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including: - Location data collection and emergency alert routing - Identity verification and biometric processing - Automated decision-making (verification algorithms) - Cross-border data transfers - Integration with emergency services

These DPIAs evaluate: - Lawfulness of processing - Necessity and proportionality of data collection - Rights and freedom impacts - Risk mitigation measures - Third-party involvement

Summaries are available upon request to regulatory authorities and can be accessed by data subjects in certain jurisdictions.

12. DATA BREACH NOTIFICATION

12.1 Our Breach Notification Obligations

In the event of a personal data breach (unauthorized access, loss, alteration, or disclosure of personal data), LekkerClap will notify affected users and the Information Regulator in accordance with applicable law.

Notification Timeline: - POPIA (South Africa): Notify POPIA regulator as soon as reasonably practicable; notify affected data subjects if high risk - GDPR (EU/EEA): Notify supervisory authority within 72 hours of becoming aware of breach; notify affected data subjects without undue delay - Zimbabwe: Notify POTRAZ within 24 hours; notify affected data subjects within 72 hours if breach poses high risk - California: Notify affected residents without unreasonable delay, consistent with law enforcement requests - Other Jurisdictions: Comply with applicable notification timelines

12.2 What We Will Include in Breach Notification

Our breach notification will include: - Description of what personal data was compromised - Approximate number of affected individuals - Date and time of breach discovery - Likely consequences of the breach - Measures taken or being taken to secure data and mitigate harm - Our point of contact for questions - Description of remedial measures offered (credit monitoring, identity theft protection, etc.)

12.3 Exceptions to Notification

We may determine that notification is not required if: - The breach is unlikely to result in risk to rights and freedoms (e.g., encrypted data where key remains secure) - The personal data was not sensitive in nature - We have taken sufficient remedial steps - Law enforcement requests non-disclosure (temporary)

12.4 Breach Investigation and Response

Upon discovery of a breach: 1. Immediate Containment: Isolate affected systems to prevent further unauthorized access 2. Assessment: Determine scope, nature, and risk level of breach within 24 hours 3. Authority Notification: Notify relevant Data Protection Authorities (POTRAZ, POPIA regulator, ICO, GDPA, etc.) within required timeframe 4. Victim Notification: Notify affected data subjects if breach poses high risk 5. Documentation: Maintain detailed records of breach discovery, investigation, and remediation 6. Enhanced Monitoring: Implement additional security measures to prevent recurrence 7. Review and Lessons Learned: Conduct post-incident review to strengthen security posture

12.5 User Notification About Suspected Breach

If you suspect your account has been compromised or believe we may have experienced a breach affecting you: - Contact us immediately at security@lekkeclap.com or call [Emergency phone number] - Do not attempt to use your account if you suspect compromise - Monitor your credit reports and accounts for suspicious activity - Consider placing a fraud alert with credit bureaus - We will investigate promptly and follow notification procedures

13. COOKIES AND TRACKING TECHNOLOGIES

13.1 What Are Cookies?

Cookies are small text files stored on your device that contain information about your interactions with the Platform. We use cookies and similar technologies to: - Remember your login session and preferences - Understand how users interact with features - Improve platform performance and user experience - Provide analytics and track campaign effectiveness - Enable security features and prevent fraud

13.2 Types of Cookies We Use

1. Essential/Necessary Cookies - Purpose: Required for basic platform functionality (login sessions, CSRF protection, security) - User Consent: Not required (automatically enabled) - Duration: Session or 12 months - Examples: Session ID, security tokens, language preferences

2. Functional Cookies - Purpose: Remember your settings and preferences (time zone, layout preferences) - User Consent: Required (you will be prompted on first visit) - Duration: 12 months - Examples: Display preferences, favorite features

3. Analytics Cookies - Purpose: Track how users interact with the platform (pages visited, features used, time on app) - User Consent: Required (opt-in) - Duration: 12 months - Providers: Google Analytics, Firebase, Amplitude - Note: Personal identifiers are removed; data is aggregated

4. Marketing/Advertising Cookies - Purpose: Track user behavior across websites for targeted advertising (if enabled) - User Consent: Required (explicit opt-in) - Duration: Up to 24 months - Providers: Google Ads, Facebook Pixel, LinkedIn - Note: Not used by LekkerClap at this time; future advertising may require separate consent

13.3 Your Cookie Preferences

Managing Cookies in Your Browser: You can control cookies through your browser settings: - Most browsers allow you to refuse cookies or alert you when cookies are set - Google Chrome: Settings > Privacy and Security > Cookies - Safari: Preferences > Privacy > Cookies - Firefox: Preferences > Privacy > Cookies - Edge: Settings > Privacy > Cookies

Note: Disabling cookies may limit platform functionality.

LekkerClap Cookie Control Panel: - Upon first visit, we present a cookie banner with options to: - Accept all cookies (including marketing) - Accept essential cookies only - Customize your preferences by category - Access our full cookie policy

Withdraw Consent: You can change your cookie preferences at any time through account settings or the cookie banner on our website.

13.4 Similar Tracking Technologies

Beyond cookies, we may use: - Web Beacons/Tracking Pixels: Invisible images that track page views and user interactions - Local Storage: Browser-based data storage (HTML5) for preferences and cache - Mobile Ad IDs: Device-specific identifiers for mobile app tracking (IDFA on iOS, Android Advertising ID) - Server Logs: IP address, browser type, referrer information automatically recorded

All tracking technologies follow the same consent and disclosure requirements as cookies.

13.5 Third-Party Cookies

Third-party service providers may set cookies on your device: - Google Analytics: Privacy Policy - Firebase: Privacy Policy - Amplitude: Privacy Policy

These third parties have their own privacy policies; we are not responsible for their practices.

13.6 Cookie Retention and Deletion

  • Essential Cookies: Retained until end of session or 12 months (renewed with each login)
  • Functional Cookies: Retained for 12 months
  • Analytics Cookies: Retained for 12 months; automatically purged thereafter
  • Marketing Cookies: Retained up to 24 months

You can clear all cookies through your browser settings or by contacting privacy@lekkeclap.com.

14. THIRD-PARTY LINKS AND SERVICES

14.1 Links to Third-Party Websites

The LekkerClap Platform may contain links to third-party websites, applications, and services that are not operated by us, including: - Emergency services websites - Payment processors - Identity verification providers (Didit) - Cloud service providers - Social media platforms

We are not responsible for the privacy practices of third-party sites. We encourage you to review their privacy policies before providing personal information.

14.2 Third-Party Integrations

When you integrate third-party services with your LekkerClap account: - You authorize LekkerClap to share limited data as necessary for the integration - The third party's terms and privacy policy apply to their use of data - You remain responsible for reviewing third-party privacy disclosures

Common Integrations: - Emergency Services APIs: Location and alert data shared automatically for dispatch - Payment Processors: Payment method and transaction information - Contact Sync: Permission to access device contacts (if you grant permission)

14.3 Social Media Integration

If you connect your social media account to LekkerClap: - We request limited permissions (profile information only; we do not post on your behalf) - Social media providers set their own cookies; review their policies - You can disconnect social media integration at any time through account settings

15. PRIVACY POLICY CHANGES AND UPDATES

15.1 Changes to This Privacy Policy

We may update this Privacy Policy to reflect: - Changes in our data practices - New features or services - Regulatory requirements or legal developments - Technological advancements - Feedback from users

15.2 How We Notify You

Significant Changes: - For changes that materially affect your privacy rights, we will: - Provide at least 30 days' notice before changes take effect - Send email notification to your registered email address - Display a prominent notice in the app or on the website - Require affirmative acceptance of revised terms for continued service (in some cases)

Minor Changes: - Non-material clarifications or administrative updates will be effective immediately - We will note the "Last Updated" date at the top of this policy

15.3 Your Choices Regarding Changes

  • For POPIA/GDPR users: You have the right to object to material changes and withdraw consent
  • For CCPA/CPRA users: You have the right to opt-out of new data collection practices
  • For Minor Users: Parents must re-consent if changes affect data handling for minors

If you do not accept changes, you may: - Stop using the Platform - Request deletion of your account and data (subject to exceptions) - Contact us to discuss specific concerns

15.4 Archive of Previous Versions

Previous versions of this Privacy Policy are available upon request. Contact privacy@lekkeclap.com to request a specific version.

16. CONTACT INFORMATION AND PRIVACY RIGHTS REQUESTS

16.1 Data Protection Officer and Privacy Contact

Data Protection Officer: - Email: dpo@lekkeclap.com

The DPO is responsible for: - Overseeing privacy compliance - Responding to data subject requests - Coordinating with regulatory authorities - Conducting privacy impact assessments - Training staff on privacy obligations

16.2 General Privacy Inquiries

Email: privacy@lekkeclap.com

We will acknowledge receipt of inquiries within 2 business days and provide substantive response within 10-30 business days depending on complexity.

16.3 Request Types and Routing

Data Subject Requests (Access, Deletion, Correction, Portability): - Email: privacy@lekkeclap.com with "DATA SUBJECT REQUEST" in subject - Include your full name, account email, and specific request details - Verification: Provide government ID and proof of residence if requested - Timeline: 30-45 days depending on jurisdiction

COPPA Parental Requests: - Email: privacy@lekkeclap.com with "COPPA PARENTAL REQUEST" in subject - Include parent name, child name, account email, and verification of parental relationship - Timeline: 10 business days

Security or Breach Reporting: - Email: security@lekkeclap.com (for urgent security issues) - Subject: "SECURITY INCIDENT REPORT"

Marketing Communications Opt-Out: - Click "Unsubscribe" link in marketing email - Email: privacy@lekkeclap.com with "OPT-OUT" in subject - Update settings in account preferences

Regulatory Authority Contact (Complaints): - POPIA (South Africa): POPIA Regulator / Information Regulator - EU Users: Your local Data Protection Authority (e.g., GDPR supervisory authority) - California Users: California Privacy Protection Agency (CPPA) - Zimbabwe Users: POTRAZ (Zimbabwe Data Protection Authority)

16.4 Regulatory Authority Information

South Africa - POPIA Regulator (Information Regulator): - Website: https://www.justice.gov.za/inforeg/

European Data Protection Authorities: Each EU member state has a Data Protection Authority. Examples: - Germany (BfDI): https://www.bfdi.bund.de/ - France (CNIL): https://www.cnil.fr/ - Ireland (DPC): https://www.dataprotection.ie/ - Spain (AEPD): https://www.aepd.es/

California Privacy Protection Agency: - Website: https://cppa.ca.gov - Email: privacy@cppa.ca.gov - Phone: (844) 272-4662

Zimbabwe Data Protection Authority (POTRAZ): - Website: https://www.potraz.zw/

17. SPECIAL PROVISIONS BY JURISDICTION

17.1 South Africa (POPIA Users)

POPIA Compliance: - This policy incorporates all POPIA requirements for lawful processing, transparency, and user rights - An Information Officer or DPO is appointed and available for inquiries - Personal information is processed according to POPIA's Eight Conditions - Data subjects can lodge complaints with the Information Regulator if rights are violated - We maintain records of our lawful basis for processing each data category

17.2 European Union and EEA Users

GDPR Compliance: - This policy incorporates all GDPR requirements for lawful processing, transparency, and user rights - Standard Contractual Clauses (SCCs) are in place for data transfers outside the EEA - Data Protection Impact Assessments (DPIAs) are conducted for high-risk processing - Legitimate interests assessments are documented for processing based on legitimate interests - A Data Protection Officer is appointed and available for inquiries

Digital Services Act (DSA): - We provide clear information about algorithmic recommendation systems - We prohibit deceptive design (dark patterns) that may manipulate privacy choices - We provide easy mechanisms to control advertising and tracking

ePrivacy Directive: - Prior consent is obtained before non-essential cookies are set - Consent is granular by category (analytics, functional, marketing) - You can withdraw consent at any time through cookie settings

17.3 California Residents

CCPA/CPRA Compliance: - This policy incorporates all CCPA and CPRA rights and obligations - Service provider contracts include required CCPA/CPRA data handling restrictions - Risk assessments are conducted if processing poses significant privacy risk - Cybersecurity audits are performed for sensitive data handling - Financial incentive disclosures are provided if you opt into any data programs

California Online Privacy Protection Act (CalOPPA): - This policy includes a link to our Shine the Light request process - California residents can request a list of third parties with whom we share personal information

California's Right to Opt-Out of Targeted Advertising: - We do not currently engage in targeted advertising, but if we do in the future, California residents will have an opt-out mechanism - We honor the Global Privacy Control (GPC) signal

17.4 Other State Privacy Laws

States with Comprehensive Privacy Laws (Virginia, Colorado, Connecticut, Utah, Montana, Delaware, Mississippi, Texas): - Users in these states enjoy similar rights to those granted under CCPA/CPRA - Specific implementations may vary; please review your state's law or contact privacy@lekkeclap.com

17.5 Zimbabwe Residents

Cyber and Data Protection Act [Chapter 12:07] Compliance: - LekkerClap is registered with POTRAZ as a Data Controller - A Data Protection Officer has been appointed and is responsible for compliance - Data subjects may exercise rights as outlined in Section 10.4 - Breaches are reported to POTRAZ within 24 hours - Data transfers outside Zimbabwe are notified to POTRAZ in advance - This policy is aligned with Zimbabwe's data protection principles

18. INTERNATIONAL DATA TRANSFERS AND ADEQUACY DECISIONS

18.1 How We Handle International Transfers

LekkerClap operates globally and processes personal data across multiple countries and continents. When your personal data is transferred to countries with different data protection standards:

For POPIA/GDPR Compliance: We use the following mechanisms to ensure adequate protection:

  1. Adequacy Decisions: Transfer of data to countries where regulatory authorities have determined adequate protection:
    • United Kingdom
    • Canada
    • Japan
    • New Zealand
    • Switzerland
    • [Others as applicable]
  2. Standard Contractual Clauses (SCCs): For transfers to countries without adequacy decisions, we incorporate SCCs and conduct Transfer Impact Assessments (TIAs) to evaluate:
    • Laws of the receiving country that may impact data protection
    • Existence of foreign intelligence laws requiring data disclosure
    • Ability to enforce SCC protections in that jurisdiction
    • Implementation of additional safeguards where necessary
  3. Binding Corporate Rules (BCRs): If LekkerClap expands to have multiple affiliated entities, BCRs may be implemented to govern internal data transfers
  4. Derogations: In limited circumstances, transfers may proceed under GDPR/POPIA derogations (informed consent, vital interests, legal claims, public interest)

For California Users: We ensure that service providers and contractors receiving California personal information are subject to contractual obligations to maintain CCPA/CPRA compliance and equivalent protections.

For Zimbabwe Users: Before transferring your personal data outside Zimbabwe, we notify POTRAZ and implement safeguards to maintain data protection standards.

18.2 Data Residency and Storage Locations

Primary Data Storage Locations: - Primary region: [Specify - e.g., United States, European Union, South Africa] - Backup regions: [Specify others] - Emergency services data: May be replicated to optimize response

You have the right to: - Know where your data is stored and processed - Request that data be stored in a specific jurisdiction (if feasible) - Request deletion rather than transfer

Data Location Considerations: - Some features may require data processing in multiple locations (emergency response) - We implement privacy controls and encryption regardless of storage location - Data may transit through multiple jurisdictions for backup and recovery purposes

19. DISPUTE RESOLUTION AND GOVERNING LAW

19.1 Governing Law

This Privacy Policy is governed by the laws of [Specify primary jurisdiction - typically where company is incorporated]. However, data protection disputes are governed by the laws of the data subject's jurisdiction: - POPIA for South Africa residents - GDPR for EU/EEA residents - CCPA/CPRA for California residents - Zimbabwe Cyber and Data Protection Act for Zimbabwe residents - Other applicable state or national laws for other users

19.2 Dispute Resolution Process

If you believe we have violated your privacy rights:

  1. Informal Resolution (First Step):
    • Contact us with details of the alleged violation: privacy@lekkeclap.com
    • We will acknowledge receipt within 2 business days
    • We will investigate and respond substantively within 30 days
    • If necessary, we will offer remedies or corrective actions
  2. Escalation (If Unsatisfied):
    • Request escalation to our Data Protection Officer
    • Provide written explanation of the unsatisfactory response
    • We will conduct further investigation and provide written resolution
  3. Regulatory Authority Complaint:
    • File a complaint with your jurisdiction's Data Protection Authority
    • No prior complaint to us is required
    • Authorities can conduct independent investigations and impose penalties
  4. Legal Action:
    • You may pursue civil litigation if other remedies are insufficient
    • Private right of action for data breaches: Available under various laws (statutory damages $100-$750 per consumer, per incident under some regimes)
    • Your jurisdiction's consumer protection laws may provide additional remedies

19.3 Liability Limitations

Subject to applicable law, LekkerClap's liability for privacy violations is limited to: - Correcting the violation and restoring compliant processing - Providing credit monitoring or identity theft protection services (for breaches) - Payment of statutory damages where applicable - Actual damages proven by you, not to exceed [Amount based on jurisdiction]

Exclusions: - We are not liable for your failure to keep passwords secure or confidential - We are not liable for unauthorized access due to your negligence - We are not liable for third-party processor actions beyond our reasonable control

20. FINAL PROVISIONS

20.1 Entire Agreement

This Privacy Policy, together with our Terms of Service, constitutes the entire agreement regarding privacy and data protection between you and LekkerClap. If any provision is found to be unenforceable, the remaining provisions will remain in effect.

20.2 Severability

If any provision of this Privacy Policy is found invalid or unenforceable by a court or regulatory authority: - That provision will be severed - Remaining provisions continue in full force - We will amend the policy to comply with the regulatory determination

20.3 Waiver

Failure by LekkerClap to enforce any privacy right does not constitute a waiver of that right. We reserve the right to enforce all privacy protections at any time.

20.4 Acknowledgment

By using LekkerClap, you acknowledge that you have: - Read and understood this Privacy Policy - Agreed to the collection and processing of personal data as described - Understood your rights and how to exercise them - Consented to emergency alert functionality, including location sharing with emergency services

21. APPENDICES

Appendix A: List of Third-Party Service Providers and Data Processing

Service ProviderData CategoriesPurposePrivacy PolicyProcessing Location
DiditID documents, biometric data, name, DOBAge verification, fraud prevention[Link][Location]
[Provider]All platform dataData storage, backup, infrastructure[Link][Location]
Google/FirebaseUsage metrics (anonymized)Performance monitoring[Link][Location]
[Processor]Payment method, transaction dataBilling[Link][Location]
[Provider]Phone/email, message contentNotifications[Link][Location]
Emergency ServicesLocation, alert content, contact infoEmergency dispatchN/ARegional

Appendix B: Data Processing Agreement (DPA) Terms

All Data Processors are subject to a Standard Data Processing Agreement incorporating: - POPIA Chapter 2 processor obligations - GDPR Article 28 processor obligations - CCPA/CPRA processor restrictions - Data security requirements - Sub-processor notification - Data subject rights assistance - Data breach notification - Audit rights and compliance certification - Termination and data return/deletion obligations

Appendix C: Consent Records and Parental Consent Documentation

LekkerClap maintains records of: - User consent to terms and privacy policy - Parental consent for minor users (digitally signed with timestamp) - COPPA verifiable parental consent methods used - Cookie and marketing communication preferences - Withdrawal of consent (with timestamp)

These records are retained for 5+ years to demonstrate POPIA, GDPR, CCPA, and COPPA compliance.

Appendix D: POPIA Lawful Basis Summary

Processing ActivityLawful BasisData CategoriesPOPIA Justification
Account creation & managementContractName, email, phone, DOBNecessary for service delivery
Location sharing during alertsContract + Vital InterestsPrecise GPS locationEssential for emergency response
Identity verificationContractGovernment ID, biometricAge eligibility confirmation
Community proximity matchingLegitimate InterestApproximate location, anonymized dataReasonable, necessary, balanced for safety
Analytics & service improvementLegitimate InterestAggregated usage dataImproves service quality for all users
Abuse prevention & fraud detectionLegitimate InterestAccount behavior, patternsProtects integrity and security
Optional notificationsConsentNotification preferencesFreely given, specific, revocable
Marketing communicationsConsentEmail/SMS address, preferencesExplicit opt-in required

Appendix E: Data Subject Rights Request Forms

Standardized forms for: - Data Access Request - Erasure/Deletion Request - Correction/Rectification Request - Data Portability Request - Restriction of Processing Request - Objection to Processing - Right to Withdraw Consent

Forms available at: [Website link]

Appendix F: POPIA Evidence Pack (Auditable Records)

LekkerClap maintains and stores the following POPIA evidence: 1. Current Privacy Policy (PDF + dated version history) 2. Change log (what changed, when, why) 3. Data subject request log (dates, types, responses, outcomes) 4. Security measures summary (1-page overview of controls) 5. Data retention schedule (detailed table by category) 6. Screenshots of in-app disclosures (privacy zones, notifications, alerts) 7. Lawful basis assessments (documented for each processing activity) 8. Data Processing Agreements (with all third-party processors) 9. Breach incident records (if any) 10. Employee training records (privacy & security)

These documents are stored securely and available for regulatory inspection.

CONCLUSION

LekkerClap is committed to protecting your privacy and complying with all applicable data protection laws globally, including POPIA, GDPR, CCPA/CPRA, and others. We recognize that trust is essential to our mission of providing life-saving emergency alert services.

You are already 80% POPIA-aligned by design because we: - Minimise location use (temporary, alert-scoped only) - Scope precise data to incidents - Give users control (privacy zones, settings, consent) - Do not sell data - Implement appropriate security measures

What this revised policy does: - Makes your data practices explicit - Makes them defensible under POPIA and other laws - Makes them auditable (evidence trail, documentation)

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us using the information in Section 16.

Thank you for trusting LekkerClap with your information and your safety.

Last Updated: January 8, 2026
Effective Date: January 1, 2026