PRIVACY NOTICE

---

We at Goneke Investment Group Proprietary Limited ("GIG") respect your concerns about privacy. 

This Privacy Notice describes how we process Personal Data:

• that we collect on goneke.com, or any pages accessible through goneke.com, and other websites or applications that link to this Privacy Notice (the "Sites");
• where you visit our premises;
• where you are a contact at one of our suppliers or other business partners; and
• through other data collection points or notices that reference this Privacy Notice.

We provide information on the types of Personal Data we collect, how we use it, with whom we may share it, and the choices available to you. We also describe the measures we take to protect the security of the information and how you can contact us about our privacy practices.

"Personal Data" has the meaning given to it under applicable data protection laws, including the Protection of Personal Information Act 4 of 2013 ("POPIA") and, where applicable, the EU General Data Protection Regulation ("GDPR"). It includes any information that relates to, describes, identifies or can be used, directly or indirectly, to identify an individual, such as name, address, date of birth, personal identification numbers, sensitive personal information, and economic information.

The types of information we collect concerning individuals include:

• Business and personal contact information (such as name, postal and e-mail addresses, and telephone number);
• Demographic information, such as age, race, gender, and citizenship;
• Account information, including login credentials for our Investor Portal and on our career site;
• Financial and other information you provide in connection with our Investor Portal at goneke.com, such as date of birth, banking information, account numbers, taxpayer ID number, jurisdiction of tax residence, and investment-related information;
• Government-issued identifiers and other information we need in order to identify you and complete necessary security and safety checks;
• CCTV footage on our premises for the purposes of safeguarding our customers, employees, facilities, and property;
• Content (and related information) in connection with your electronic communications with us or our service providers;
• Professional details and employment data in connection with job inquiries or applications on our careers pages, such as resume/CV, employment history, performance-related information, talent management information, and work authorisation status;
• Voluntary information you provide in connection with job inquiries or applications, including diversity-related information such as gender, race/ethnicity, veteran status, and disability status;
• Information from third-party data providers and publicly available sources for compliance with anti-money laundering (AML) obligations, background screening, and to otherwise protect our business and comply with legal and regulatory obligations;
• Information from our charitable foundation, such as details relating to your involvement with our philanthropic and charitable causes, and your charitable contributions;
• Information relating to your participation in our programmes and related events or workshops;
• Information from organisations that you represent and with which we have a business relationship, such as your business contact details or details of your role at the organisation; and
• Other information you provide to us (such as information provided by registering for e-mail alerts, filling in forms, and online registration details).

If you provide information to us about another person, you should ensure that you provide that person with this Privacy Notice and comply with any legal obligations that may apply to your provision of that information to us.

When you visit our Sites or open our e-mails, we may collect certain information by automated means (such as cookies, web server logs, web beacons, and JavaScript). The information we collect in this manner includes your IP address, network location, browser characteristics, device characteristics, operating system, referring URLs, information on actions taken on our Sites, and dates and times of website visits.

Cookies are files that websites send to your computer or other Internet-connected device to uniquely 

identify your browser or to store information or settings on your device. Please see our Cookie Policy for information about how we use cookies and similar technology. We also may use these technologies in e-mails we send you to collect information, such as whether you opened or clicked links in our e-mails.

We may use third-party web analytics services on our Sites, such as Google Analytics, to help us analyse how visitors use the Sites. The information processed for this purpose (including your IP address and other information collected by automated means) may be disclosed to or collected directly by these service providers. To learn about opting out of Google Analytics, please visit https://tools.google.com/dlpage/gaoptout.

Our Sites are not designed to respond to "do not track" signals received from browsers. To learn how to opt out of interest-based advertising, please visit www.aboutads.info/choices, http://www.networkadvertising.org/choices, or http://www.youronlinechoices.eu.

In accordance with POPIA and, where applicable, the GDPR, we process your Personal Data only where we have a lawful basis to do so. The lawful bases we rely upon include:

• Consent: where you have given us clear consent to process your Personal Data for a specific purpose;
• Contract: where processing is necessary for the performance of a contract with you, or to take steps at your request before entering into a contract;
• Legal obligation: where processing is necessary for compliance with a legal or regulatory obligation to which we are subject;
• Legitimate interests: where processing is necessary for our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms; and
• Public interest: where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Where we rely on legitimate interests as a basis for processing, we do so only where we have concluded that our processing does not prejudice you or your privacy in a way that would override those legitimate interests.

We may use, disclose or otherwise handle the information described in this Privacy Notice to:

•  Operate, evaluate, develop, promote, and improve our business (including developing new products and services; managing our communications; managing our premises; and performing accounting, auditing, and other internal functions);
• Create and manage your account;
• Manage your investments;
• Comply with and enforce applicable legal requirements, relevant industry standards, and our policies;
• Protect against, identify and prevent fraud, money-laundering, breach of confidence, cyber attack, theft of proprietary materials, financial or business crimes, and other unlawful activity;
• Provide our products and services to you, such as market commentary and e-mail alerts;
• Send you promotional materials, newsletters and other communications;
• Communicate with you about, and administer your participation in, special events, programmes, promotions, offers, surveys, and market research;
• Respond to your inquiries;
• Manage your employment application and assess your qualifications;
• Verify your information;
• Perform data analyses (including market and consumer research, demographic analyses, and anonymisation and aggregation of information);
• Operate, schedule, and facilitate online meetings, webinars, and video conferences;
• Record and monitor details and content of your electronic interactions with us or our service providers, to the extent permitted or required by applicable law; and
• Record audio and video content of in-person or online events, training, and meetings where permitted by applicable data protection law.

CCTV operates in some of our buildings for security and safety purposes in accordance with applicable data protection law. We will only process your Personal Data as necessary to pursue the purposes described above.

We may use automated processing and, in limited circumstances, artificial intelligence ("AI") tools and algorithms to assist in the analysis of data and the delivery of our services. Where any automated processing produces decisions that significantly affect you, we will:

• Inform you that such automated decision-making is taking place;
• Explain the logic involved and the significance and envisaged consequences for you;
• Provide you with the right to request human review of the decision; and
• Refrain from using your sensitive personal information for automated profiling without your explicit consent.

We do not use automated decision-making in a way that produces legal effects or similarly significant effects on individuals without appropriate human oversight. If you have questions about how automated tools are used in relation to your data, please contact us as set out in Section 12.

We and third parties acting on our behalf (such as LinkedIn) may collect information about your online activities over time and across third-party websites to provide you with advertising about products and services tailored to your interests. Where required by applicable law, we will obtain your consent for the processing of your Personal Data for direct marketing purposes.

If you receive direct marketing communications from us, you may opt out by clicking the unsubscribe link in the relevant communication or by e-mailing info@goneke.com.

We do not disclose Personal Data we obtain about you, except as described in this Privacy Notice. We may share your Personal Data with our affiliates and subsidiaries. Depending on the nature of our relationship with you, we also share Personal Data with:

• Service providers who perform services on our behalf (including cloud services);
• Financial and transaction counterparties;
• Philanthropic, charitable, and advocacy partners;
• Our professional advisors (including auditors, legal counsel, and accountants); and
• Your agents and representatives.

We do not authorise these persons to use or disclose the information except as necessary for the purposes for which it is provided or to comply with legal requirements.

We also may disclose information about you: (i) if we are required to do so by law or legal process; (ii) to law enforcement authorities, regulators, and/or other government entities based on a lawful disclosure request; or (iii) when we believe disclosure is necessary or appropriate to prevent harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity. We reserve the right to transfer Personal Data in the event that we sell or transfer all or a portion of our business or assets.

In addition, we may share anonymous or aggregated information with third parties, such as service providers, in order to facilitate our business operations.

In accordance with POPIA and applicable data protection laws, in the event that we become aware of a security compromise involving your Personal Data, we will:

• Notify the South African Information Regulator as soon as we are reasonably certain that a compromise has occurred, without undue delay;
• Notify affected data subjects in a manner that allows them to take protective measures, unless the Information Regulator agrees that notification is not required; and
• Document all security compromises, including those that do not result in notification, for accountability and audit purposes.

Our incident response plan is reviewed annually and tested to ensure it remains effective. If you suspect that your Personal Data has been compromised, please contact us immediately at info@goneke.com.

We may transfer the Personal Data we collect about you to recipients in countries other than the country in which the information was originally collected. Where you are based in South Africa, the UK, the EU, or another country which imposes data transfer restrictions, this includes transfers outside of those territories.

Where we transfer Personal Data outside of the relevant territory, we will ensure that appropriate safeguards are in place in accordance with applicable data protection law, including:

• Data transfer agreements incorporating standard contractual clauses approved by the relevant authority;
• Binding corporate rules where applicable; or
• Any other mechanism recognised as providing an adequate level of protection under applicable law.

We intend to keep your Personal Data accurate and up to date. We will delete the information that we hold about you when we no longer need it. We retain your Personal Data for as long as it is required for our legitimate purposes, to perform our contractual obligations, or where longer, such longer period as is required or permitted by law or regulatory obligations which apply to us.

In all cases, we apply the following principles to retention:

• Data is retained no longer than is necessary for the purpose for which it was collected (POPIA’s storage limitation principle);
• Retention schedules are documented and reviewed annually; and
• Upon expiry of the applicable retention period, data is securely deleted or anonymised.

Note that we may retain some limited information about you so that we can maintain a continuous relationship with you if and when we are in contact with you again in future.

To the extent provided by the law of your jurisdiction, you have the following rights in connection with your Personal Data:

• Right of access: You may request that we confirm whether we hold Personal Data about you and, if so, provide you with a copy of that information.
• Right to correction: You may request that we correct inaccurate or incomplete Personal Data we hold about you.
• Right to deletion: You may request that we delete certain Personal Data we hold about you, subject to applicable legal obligations.
• Right to object: You may object to our processing of your Personal Data for direct marketing purposes at any time, and in certain other circumstances based on your particular situation.
• Right to data portability: In certain circumstances, you may request that we transfer your Personal Data to you or to a third party in a structured, commonly used, and machine-readable format.
• Right to opt out of automated decision-making: Where we use automated processing that produces significant effects on you, you have the right to request human review.
• Right to withdraw consent: Where we rely on your consent as the basis for processing, you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

To submit a request to exercise any of these rights, please contact us as set out in Section 12. We will respond to requests within the timeframes required by applicable law. We review and verify requests to protect your Personal Data and will action data protection requests fairly and in accordance with applicable data protection laws.

If you are dissatisfied with our response, you may lodge a complaint with the relevant supervisory authority:

• South Africa: The Information Regulator (www.justice.gov.za/inforeg);
• European Union: Your local data protection authority; or
• United Kingdom: The Information Commissioner’s Office (ico.org.uk).

We maintain administrative, technical, and physical safeguards designed to protect the Personal Data we obtain through the Sites and other channels against accidental, unlawful, or unauthorised destruction, loss, alteration, access, disclosure, or use. 

These safeguards include:

• Encryption of Personal Data in transit and at rest;
• Access controls and authentication mechanisms to limit access to authorised personnel;
• Regular security assessments, penetration testing, and vulnerability management;
• Staff training on data privacy and security obligations; and
• Third-party processor due diligence and contractual data processing agreements.

We review and update our security measures on a regular basis to address evolving threats and comply with applicable standards.

In accordance with POPIA, GIG has appointed an Information Officer who is responsible for ensuring compliance with POPIA and this Privacy Notice. Our Information Officer is registered with the South African Information Regulator.

Any queries relating to the processing of your Personal Data, requests to exercise your rights, or concerns about our privacy practices should be directed to our Information Officer at:

Email: info@goneke.com

Address: 70 Melville Road, Illovo, Johannesburg, Gauteng, 2196, South Africa

Our Sites may provide links to other websites for your convenience and information. These websites may operate independently from us. Linked websites may have their own privacy notices or policies, which we strongly suggest you review. To the extent any linked websites are not owned or controlled by us, we are not responsible for their content, any use of the websites, or their privacy practices.

This Privacy Notice may be updated periodically and without prior notice to you to reflect changes in our Personal Data practices or applicable law. We will post the updated version on the Sites and indicate at the top of the Notice when it was most recently updated. We recommend that you check this Privacy Notice regularly for any updates.

Where changes are material, we will take reasonable steps to notify you directly, such as by e-mail or by displaying a prominent notice on our Sites.

If you have any questions or comments about this Privacy Notice, or if you would like us to update information we have about you or your preferences, please contact us:

Email: info@goneke.com

Web form: goneke.com

You may also write to us at:

Goneke Investment Group South Africa Proprietary Limited

Attn: Information Officer / Legal & Compliance

70 Melville Road, Illovo

Johannesburg, Gauteng, 2196

South Africa

Individuals in the UK and EU may write to:

Goneke Investment Group Europe LLP

Attn: Legal & Compliance

17 Rickfield

Crawley, RH10 8EF

United Kingdom

Please also contact us via any of the above methods if you require this Privacy Notice in an alternative format..

This California Consumer Privacy Statement ("Statement") supplements the Privacy Notice. It applies solely to California consumers, including visitors to our premises and our public-facing websites and mobile apps, GIG job applicants, and representatives of our suppliers and business partners.

This Statement does not apply to: (1) GIG personnel, their emergency contacts, or their relatives for whom we administer benefits; or (2) information collected, processed, or disclosed in connection with the provision of financial products or services pursuant to the Gramm-Leach-Bliley Act or the California Financial Information Privacy Act.

This Statement uses certain terms that have the meaning given to them in the California Consumer Privacy Act of 2018 (the "CCPA"), as amended by the California Privacy Rights Act of 2020 (the "CPRA"), and its implementing regulations, including the 2025 regulations on automated decision-making technology ("ADMT"), privacy risk assessments, and cybersecurity audits.

We may collect (and may have collected during the 12-month period prior to the effective date of this Statement) the following categories of personal information about you:

• Identifiers: such as name, postal address, unique personal identifier, online identifier, IP address, e-mail address, account name, Social Security number, driver’s licence number, passport number, and other similar identifiers;
• Additional Data Subject to Cal. Civ. Code § 1798.80: including signature, state identification card number, education, and financial information;
• Protected Classifications: such as race, colour, national origin, age, sex, gender, sexual orientation, medical condition, citizenship status, and military and veteran status;
• Commercial Information: including records of products or services purchased, obtained, or considered;
• Online Activity: Internet and other electronic network activity information, including browsing history, search history, and information regarding your interaction with websites, applications, or advertisements;
• Sensory Information: audio, electronic, visual, and similar information;
• Employment Information: professional or employment-related information; and
• Inferences: inferences drawn from any of the information above to create a profile about you reflecting your preferences, characteristics, and aptitudes.

In accordance with the 2025 CPPA regulations on ADMT, where we use automated decision-making technology that produces decisions that significantly affect you, we will provide you with a Pre-Use Notice disclosing the purpose, the categories of Personal Data used, and your right to opt out. You may exercise your right to opt out of ADMT by contacting us at privacyqueries@goneke.com.

We do not sell your personal information in exchange for monetary compensation. We may disclose your personal information by allowing certain third parties (such as online advertising services) to collect personal information via automated technologies on our websites for cross-context behavioural advertising purposes. Under California law, these disclosures may be considered a "sale" or "sharing." You have the right to opt out of these types of disclosures.

We do not have actual knowledge that we sell or share the personal information of minors under 16 years of age.

You have the following rights regarding your personal information:

• Access: You have the right to request, twice in a 12-month period, that we disclose to you the personal information we have collected, used, disclosed, and sold about you during the past 12 months.
• Correction: You have the right to request that we correct inaccurate personal information we maintain about you.
• Deletion: You have the right to request that we delete certain personal information we have collected from you.
• Opt-Out of Sale or Sharing: You have the right to opt out of the sale of your personal information or the sharing of your personal information for cross-context behavioural advertising purposes.
• Opt-Out of ADMT: You have the right to opt out of automated decision-making technology that produces significant decisions about you.
• Non-Discrimination: You have the right not to receive discriminatory treatment for exercising any of your privacy rights.

To submit an access, correction, or deletion request, you may use our online form at goneke.com or call 1-800-262-8408. You may opt out of the sale or sharing of your personal information by using the "Do Not Sell or Share My Personal Information" link on our Sites or using the Global Privacy Control signal. To submit a request as an authorised agent on behalf of a consumer, contact us at privacyqueries@goneke.com.

To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to your personal information or complying with your request. We may require you to verify your e-mail address or provide certain information in our records. To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.