INTEL SECURITY MANDATE

PRIVACY POLICY & POPIA COMPLIANCE MASTER POLICY

WORSHIP HIM DISTRIBUTION (WHD18) & GATHER THE TROOPS MOVEMENT NPC Last Updated: 19 April 2026 Information Officer: HT Sampson

1. About This Policy

This Privacy Policy governs the collection, processing, storage, sharing, and destruction of all personal information handled through whd18.co.za and its associated operations, jointly administered by:

  • Worship Him Distribution (Pty) Ltd ("WHD18") — Registration No. 2023/260436/07 — e-commerce, apparel distribution, and collection agent
  • Gather The Troops Movement NPC ("GTTM") — Registration No. 2025/445470/08 — non-profit mission, outreach, and donor operations

Together referred to as "we", "us", or "our."

Both entities operate from: 6 Umziki Place, Kloof, 3640, South Africa

This Policy complies with:

  • Protection of Personal Information Act 4 of 2013 (POPIA)
  • Electronic Communications and Transactions Act 25 of 2002 (ECT Act)
  • Consumer Protection Act 68 of 2008 (CPA)
  • Non-Profit Organisations Act 71 of 1997
  • Income Tax Act 58 of 1962 — donor financial compliance
  • General Data Protection Regulation (GDPR) — for EU-based users
  • Children's Online Privacy Protection Act (COPPA) — where minors are involved

By using our Services, you acknowledge that you have read and understood this Policy in full.

2. Responsible Parties & Information Officer

Both entities are co-Responsible Parties under POPIA for data processed through this store and associated operations.

Information Officer: HT Sampson Email: HQ@WHD18.CO.ZA Website: whd18.co.za Address: 6 Umziki Place, Kloof, 3640, South Africa Hours: Monday to Friday, 08:00 to 17:00 SAST

Deputy Information Officer: D Sampson Email: HQ@WHD18.CO.ZA Website: whd18.co.za Address: 6 Umziki Place, Kloof, 3640, South Africa Hours: Monday to Friday, 08:00 to 17:00 SAST

POPIA requires the Information Officer to be registered with the Information Regulator of South Africa before this policy goes live. Register at: www.inforegulator.org.za

3. Who This Policy Applies To

This Policy applies to all individuals whose personal information we process, including:

  • WHD18 customers — online shoppers, apparel buyers, and wholesale clients
  • GTTM donors — contributors to the R1 Project and general mission donations
  • Mission participants — prayer walk and global Gathering registrants
  • Church partners — verified partner organisations receiving the 10% religious allocation
  • Volunteers and employees — staff across both entities
  • Website visitors — anyone accessing whd18.co.za

4. Personal Information We Collect

4A. WHD18 — E-Commerce & Retail

  • Contact details — name, email, phone, billing and shipping address
  • Financial information — payment card details and transaction history (processed via PayFast — we do not store full card details)
  • Account information — username, password, preferences, order history
  • Transaction data — items viewed, purchased, returned, or exchanged
  • Communications — customer support enquiries and correspondence
  • Device and usage data — IP address, browser type, cookies, and navigation behaviour

4B. GTTM — Non-Profit & Mission Operations

  • Donor information — full name, ID/passport number, banking details, and donor transaction records
  • Mission participant data — registration details, nationality, organisational affiliation
  • Special personal information (requires explicit consent under POPIA Section 26):
    • Religious beliefs and affiliations — for mission alignment and church partner verification
    • Geolocation/GPS data — real-time and historical tracking during prayer walks and Gatherings
    • Biometric-adjacent data — photos and videos from Gatherings that may identify individuals
  • Minor participant data — collected only with written parental/guardian consent
  • Financial records — R1 Project transactions, 10% church allocation records, and SARS-reportable donor data

Please note: GTTM is in the process of applying for Public Benefit Organisation (PBO) status and Section 18A tax deductibility approval from SARS. Tax-deductible receipts will only be issued once this status is formally granted. Donors will be notified when this becomes available.

5. Lawful Basis for Processing

Customer purchase and order data — WHD18 — Contractual necessity Payment processing via PayFast — WHD18 — Contractual necessity Marketing communications — WHD18 — Consent (opt-in) Donor financial and transaction records — GTTM — Legal obligation (SARS statutory compliance) GPS/geolocation tracking — GTTM — Explicit consent plus legitimate interest (safety) Photos/videos from Gatherings — GTTM — Explicit written consent Religious affiliation data — GTTM — Explicit consent (POPIA s.26 special information) Minor participant data — GTTM — Written parental/guardian consent Church partner data — GTTM — Contractual necessity Legal and regulatory compliance — Both — Legal obligation

6. How We Collect Your Information

We collect personal information:

  • Directly from you — via purchases, registrations, donations, account creation, or correspondence
  • Automatically — via cookies, pixels, and tracking technologies on our website
  • From service providers — including Shopify, PayFast, and logistics/courier partners
  • From third parties — social media platforms or mission partners, where lawfully permitted
  • During events — GPS tracking and media capture at Gatherings and prayer walks with prior explicit consent

7. How We Use Your Information

WHD18 Uses:

  • Processing and fulfilling orders — payment, shipping, delivery, and returns
  • Managing customer accounts and preferences
  • Providing customer support — responses within 1–2 business days
  • Sending marketing and promotional communications with consent — opt-out available at any time
  • Fraud prevention and platform security
  • Improving our website and shopping experience

GTTM Uses:

  • Processing donations and managing donor transaction records
  • Managing the R1 Project and church partner allocations
  • Tracking global mission groups and prayer walks for participant safety and impact reporting
  • Collecting and publishing media from Gatherings for mission updates and public reporting
  • SARS statutory compliance and financial administration
  • Communicating mission updates to registered participants and donors — responses within 1–2 business days

8. Payment Processing — PayFast

All payments through whd18.co.za are processed by PayFast (Pty) Ltd, a registered South African payment service provider:

  • Payment details are processed directly and securely by PayFast
  • WHD18 does not store, access, or retain full card or banking details
  • All transactions are encrypted and PCI-DSS compliant
  • Refunds processed via PayFast are returned to the original payment method within 5–7 business days of approval, with an additional 3–5 business days for your bank to reflect the amount
  • PayFast's Privacy Policy governs payment data: www.payfast.io

GTTM donation payments processed through this store are subject to the same PayFast security standards.

9. GPS & Geolocation Data — Special Provisions

Given the sensitivity of real-time location tracking in GTTM operations:

  • GPS data is used exclusively for participant safety, logistics, and outreach impact reporting
  • Real-time tracking is not publicly visible without explicit user authorisation
  • Location data is accessible only to designated GTTM Operations staff during active missions
  • Participants are informed of tracking before it commences and may opt out without penalty
  • All GPS consent must be explicit and signed — implied consent through registration alone is not sufficient under POPIA Section 26
  • Historical GPS data is archived securely and destroyed after 5 years
  • GPS data access logs are reviewed quarterly by the Information Officer

10. Consent Management

Registration and Event Consent

All mission and prayer walk registration forms include a separate, explicit consent clause covering:

  • GPS/geolocation tracking during the event
  • Photography and video recording
  • Use of media for public reporting and mission updates
  • Right to withdraw consent at any time without penalty

Media Consent

  • A Media Release Form must be signed before any identifiable image is published
  • Photos and videos exclude home addresses and other sensitive personal identifiers
  • Participants may request removal of their image from any published material at any time — requests actioned within 5 business days

Marketing Consent — WHD18

  • Marketing communications are sent only where you have opted in
  • You may unsubscribe at any time via the link in any email or by contacting HQ@WHD18.CO.ZA
  • Unsubscribe requests are processed within 2 business days

Withdrawal of Consent

  • Any data subject may withdraw consent at any time by contacting the Information Officer
  • Withdrawal requests are acknowledged within 1–2 business days and actioned within 5 business days
  • Withdrawal does not affect the lawfulness of processing prior to withdrawal

11. Sharing Your Information

We do not sell or rent your personal information. We share it only with:

Shopify — E-commerce platform and store management — Ongoing PayFast — Payment processing for purchases and donations — Per transaction Courier and logistics partners — Order fulfilment and delivery — Per order Worship Him Distributors (Pty) Ltd — Acting as Collection Agent for GTTM — Ongoing SARS — Statutory tax and donor financial compliance — As required by law Church partners — 10% religious allocation administration — Per allocation cycle Marketing platforms — Where consent has been given — Ongoing while consent active Law enforcement and regulators — Where required by South African law — As legally required Professional advisors — Legal, accounting, compliance bound by confidentiality — As required

All third-party processors are required to sign a Data Processing Agreement (DPA) confirming POPIA compliance before any data is shared.

12. Cookies & Tracking Technologies

We use cookies and similar technologies to:

  • Maintain your session and remember your preferences
  • Analyse website traffic and usage patterns
  • Deliver relevant advertising and product recommendations

You may manage cookie preferences through your browser settings. Disabling cookies may affect website functionality. A full cookie audit is conducted annually by the Information Officer.

13. Data Security

We implement the following security measures across both entities:

  • Encryption — all electronic data stored on encrypted, password-protected cloud platforms
  • Access control — role-based access; sensitive data restricted to Executive Board and Operations/Finance Departments per the approved organigram
  • Multi-factor authentication (MFA) — required for all systems containing personal data
  • Physical security — physical records maintained in a secure, fire-resistant archive (The Black Book); access logged and restricted
  • Confidentiality agreements — all staff with data access must sign a Confidentiality Agreement upon onboarding
  • Security audits — vulnerability assessments conducted every 6 months
  • Access reviews — role-based access rights reviewed quarterly

14. Data Breach Response Protocol

Step 1 — Contain the breach immediately upon discovery — Immediately Step 2 — Assess nature, scope, and risk to data subjects — Within 24 hours Step 3 — Notify the Information Regulator — Within 72 hours (POPIA Section 22) Step 4 — Notify affected data subjects where risk of harm exists — As soon as reasonably possible Step 5 — Document breach and corrective actions in Breach Register — Within 5 business days Step 6 — Review and strengthen security measures — Within 30 days of breach

A Breach Register is maintained by the Information Officer and reviewed quarterly.

15. Data Retention & Destruction

Customer purchase and account records — 5 years post last transaction — Secure deletion Donor financial and transaction records — 7 years (SARS statutory requirement) — Secure deletion and shredding GPS and geolocation tracking data — 5 years — Encrypted deletion Photos and videos from Gatherings — 5 years — Secure deletion Participant registration data — 5 years post-event — Secure deletion Minor participant data — Until age 18 plus 2 years — Secure deletion with parental notification Employee and volunteer records — Duration of relationship plus 5 years — Secure deletion and shredding Marketing consent records — Until consent withdrawn plus 1 year — Secure deletion Breach register records — 5 years from date of breach — Secure deletion

All data destruction is documented and signed off by the Information Officer.

16. Your Rights Under POPIA & GDPR

Access — Request a copy of your personal information — Within 30 days Correction — Update inaccurate or outdated information — Within 15 business days Deletion — Request erasure subject to legal retention obligations — Within 30 days Objection — Object to processing for direct marketing — Within 2 business days Restriction — Limit how your information is used — Within 15 business days Portability — Receive your data in a portable format (GDPR) — Within 30 days Complaint — Lodge a complaint with the Information Regulator — Immediately

All requests must be submitted to HQ@WHD18.CO.ZA and will be acknowledged within 1–2 business days.

Information Regulator of South Africa: Email: inforeg@justice.gov.za Website: www.inforegulator.org.za

17. International Data Transfers

Both entities operate with global participants and donors. Where personal information is transferred outside South Africa:

  • Transfers occur only to countries with adequate data protection laws or under a binding transfer agreement
  • All international transfers are documented and approved by the Information Officer within 5 business days of the transfer
  • EU participants retain full GDPR rights including erasure and data portability
  • International transfer records are reviewed annually by the Information Officer

18. Children's Privacy

Our Services are not directed at children under 18 without parental consent. For GTTM mission participants who are minors:

  • Written parental/guardian consent is mandatory before any personal, location, or media data is collected
  • Minor participant data is stored separately with heightened access restrictions
  • Parents/guardians may request access, correction, or deletion of their child's data at any time — actioned within 15 business days

19. Changes to This Policy

We may update this Policy periodically. The revised version will be posted at whd18.co.za with an updated Last Updated date. Material changes will be communicated directly to registered users at least 7 days before taking effect. Continued use of our Services after changes constitutes acceptance of the updated Policy.

Next scheduled review: April 2027

20. Contact Us

Information Officer: HT Sampson Email: HQ@WHD18.CO.ZA Website: whd18.co.za Address: 6 Umziki Place, Kloof, 3640, South Africa Hours: Monday to Friday, 08:00 to 17:00 SAST Acknowledged within: 1–2 business days Resolved within: 30 days

Information Regulator of South Africa: Email: inforeg@justice.gov.za Website: www.inforegulator.org.za