SALT PRIVACY PROTOCOL

01. THE OBJECTIVE

This Protocol defines the governance standards for the SALT ecosystem. Unlike standard “Privacy Policies” which treat data as a by-product, we treat your Entity Data as a critical asset.

By utilising SALT, you agree to the architectural and governance standards outlined herein. If you are a Merchant (“the Entity”), this Protocol operates alongside and in parallel with your contractual agreement with Polyphrōn.

For the purposes of applicable data protection laws, including the Protection of Personal Information Act, 2013 (South Africa) (“POPIA”) and the General Data Protection Regulation (EU) 2016/679 (“GDPR”), Polyphrōn t/a Polynoesis (Pty) Ltd acts as the Responsible Party (POPIA) and Data Controller (GDPR).

02. SIGNAL ACQUISITION (COLLECTION)

We do not scrape. We ingest structured inputs only.

We collect and process personal information through the following vectors:

Direct Entity Input

When you register for, or interact with, SALT services, we collect identifiers including Entity name, contact details, account credentials, and operational business logic necessary to deliver the service.

Transaction Signals

When you execute a payment or generation event, we process the minimum transaction-related data required to fulfil the transaction, including billing coordinates and confirmation metadata. Payment card information is processed directly by secure, compliant third-party payment processors and is not stored by Polyphrōn.

System Telemetry

We utilise cookies and similar technologies to monitor system health, performance, latency, and interaction patterns (including device type and IP address). You retain control over cookies and local storage via your browser settings. Where required by applicable law, non-essential cookies are deployed only with user consent.

03. OPERATIONAL USAGE (PURPOSE & LAWFUL BASIS)

We process personal information only where a lawful basis exists.

Under POPIA and GDPR, processing occurs on one or more of the following bases:

• Contractual Necessity: To provide SALT services you have requested.
• Legal Obligation: To comply with applicable laws, including tax, accounting, and KYC requirements.
• Legitimate Interests: To operate, secure, and improve the platform, provided such interests are not overridden by your rights.
• Consent: Where explicitly obtained, particularly for optional marketing communications.

Personal information is used strictly for:

• Execution: Generating product listings, managing accounts, and processing transactions.
• Signal Transmission: Delivering service-related communications and updates.
• Compliance Architecture: Fraud prevention, KYC enforcement, and regulatory compliance.
• System Optimisation: Aggregated analytics to improve performance, integrity, and security.

04. EXTERNAL SIGNALS (DISCLOSURE)

We do not sell personal information.

Personal information may be disclosed only to trusted third parties where necessary:

• Processors & Infrastructure Providers: Hosting, analytics, payment processing, and security vendors acting under written data processing agreements.
• Legal Authorities: Where disclosure is required by law or necessary to prevent unlawful activity.
• Corporate Transactions: In the event of a merger, acquisition, or restructuring, personal information may transfer as part of the transaction, subject to continued protection under this Protocol.

All third parties are bound by confidentiality and data protection obligations consistent with POPIA and GDPR.

05. INTERNATIONAL DATA TRANSFERS

SALT operates globally. Personal information may be processed or stored outside your country of residence, including outside South Africa and the European Economic Area (EEA).

Where cross-border transfers occur, Polyphrōn ensures appropriate safeguards are in place, including:

• Adequacy decisions recognised under GDPR
• Standard Contractual Clauses or equivalent contractual protections
• Other lawful transfer mechanisms permitted under POPIA and GDPR

By using SALT, you acknowledge and consent to such transfers where necessary for service delivery.

06. THE FORT KNOX PROTOCOL (SECURITY)

Security is embedded by design.

We implement appropriate technical and organisational measures to protect personal information against loss, unauthorised access, disclosure, or destruction, including encryption, access controls, monitoring, and incident response procedures.

You are responsible for safeguarding your access credentials and must notify us immediately of any suspected unauthorised access.

Nothing in this Protocol limits Polyphrōn’s statutory obligations under POPIA or GDPR in the event of a personal data breach.

07. DATA RETENTION

Personal information is retained only for as long as necessary to fulfil the purposes outlined in this Protocol or to comply with legal, regulatory, or contractual obligations.

Once no longer required, data is securely deleted or irreversibly anonymised.

08. YOUR RIGHTS (POPIA & GDPR)

Subject to applicable law, you have the right to:

• ACCESS: Request confirmation of whether personal information is processed and obtain a copy.
• RECTIFICATION: Correct inaccurate, incomplete, or misleading information.
• ERASURE: Request deletion of personal information, subject to lawful retention requirements.
• RESTRICTION: Request limited processing in certain circumstances.
• OBJECTION: Object to processing based on legitimate interests or direct marketing.
• DATA PORTABILITY: Receive personal information in a structured, machine-readable format (GDPR).
• WITHDRAW CONSENT: Withdraw consent at any time where processing is based on consent.
• COMPLAINT: Lodge a complaint with the relevant supervisory authority.

Requests may be submitted using the contact details below.

09. MINORS

SALT is not intended for use by individuals under 18 years of age. We do not knowingly process personal information of minors. Any such information identified will be deleted without delay.

10. CONTACT & DATA PROTECTION OVERSIGHT

For privacy-related enquiries, rights requests, or security concerns:
Privacy Team/Information Officer/Data Protection Contact
Email: privacy@polyphronai.com

You also have the right to lodge a complaint with:
The Information Regulator (South Africa), or
Your local EU supervisory authority (GDPR), where applicable.

Where required under Article 27 of the GDPR, Polyphrōn will appoint an EU representative and make relevant contact details available.

11. CONTACT

For legal, compliance, or contractual enquiries:

Last updated: 2026-01-02