PERSONAL DATA PROTECTION POLICY

1. Definitions

1.1. Company means the Tory Gold Ltd company, registration number 2016/ 147094/07, with legal address at 1 OAK COURT, CALEDON STREET, SOMERSET WEST,WESTERN CAPE 7130

1.2. Client means any natural person who uses, has used or has expressed a wish to use or is in other way related to any of the services or product provided by the Company.

1.3. Personal data means any information directly or indirectly related to the Client.

1.4. Processing means any operation carried out with Personal data, including collection, recording, storing, alteration, grant of access to, making enquiries, transfer, etc.

1.5. Consent means any freely given, specific, informed and unambiguous indication of the Client`s as data subject wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal data relating to him or her.

1.6. Data subject means a natural person who can be identified, directly or indirectly.

1.7. Controller means the person which determines the purposes and means of the Processing of Personal data.

1.8. Processor means an authorised person of the Controller, which processes Personal data on its behalf.

2. General provisions

2.1. Data protection policy, hereinafter the Policy, developed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter the GDPR, is a document of the Company, which regulates the processing and protection of Personal data received by the Company about the Client.

2.2. The Policy aims to provide the Client - the Data subject - with information about the purpose of the Personal data Processing, the legal basis, the extent of the processing, protection and processing period at the time of the Personal data acquisition and processing Client's Personal data.

2.3. Personal data Controller is the Company. Contact details of the Company are available on the Company`s website: www.torygold.com.

2.4. Contact details of the coordinator of Personal data protection issues: [email protected]

2.5. Within the framework of applicable law (GDPR, national law), the Company ensures confidentiality of Personal data and has implemented appropriate technical and organisational measures to safeguard Personal data from unauthorized access, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of personal data transmitted, stored or otherwise processed.

2.6. The Company may use Processors for Processing Personal data. In such cases, the Company takes needed steps to ensure that such Processors process Personal data under the instructions of the Company and in compliance with applicable law (GDPR, national law) and requires adequate security measures.

2.7. The Policy applies if the Client uses, has used or has expressed an intention to use or is in other way related to any of the services or goods provided by the Company, including the relationship with the Client established before this Policy entered into force.

2.8. The Company’s cookie policy is available on the Company’s website: www.torygold.com.

3. Personal data Processing principals

3.1. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the Client.

3.2. Personal data shall be obtained for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.

3.3. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

3.4. Personal data shall be accurate and, where necessary, kept up to date.

3.5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

3.6. Personal data shall be processed in a manner that ensures appropriate security of the Personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.

3.7. Personal data shall be processed in accordance with the rights of Data subjects under the GDPR.

3.8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of the Client in relation to the Processing of Personal data. In the absence of the above stated in this clause, a transfer of Personal data to a third country or an international organisation shall take place only under the conditions defined by the GDPR as derogation for specific situations.

4. Categories of Personal data

Personal data may be collected from the Client, from the Client’s use of the services and from external sources such as public and private registers or other third parties. Personal data categories which the Company primarily, but not only, collects and processes are:

4.1. Identification data such as name, personal identification code, date of birth, gender, data regarding the identification document (such as passport, ID card);

4.2. Contact data such as address, telephone number, email address, language of communication;

4.3. Financial data such as accounts;

4.4. Data obtained and/or created while performing an obligation arising from law such as data resulting from enquiries made by investigative bodies, tax administrator, courts;

4.5. Communication data collected when the Client registers at the Company`s website, communicates with the Company via e-mail, messages and other communication mechanisms such as social media, data related to the Client’s visit at the Company’s web sites or communicating through other the Company’s channels (such as Client`s account, etc.);

4.6. Data related to the services and goods such as the performance of the agreements or the failure thereof, executed transactions, concluded agreements, submitted applications, requests and complaints;

4.7. Data about habits, preferences and the level of satisfaction, such as the activeness of using the services, services used, personal settings, survey responses, Client satisfaction, the history of the actions using the Client’s account;

4.8. Data about participation in events arranged by the Company, such as video and photo materials, etc.

5. Purposes and legal basis for Personal data Processing

5.1. The Processing of Personal data takes place on a contractual basis for the following purposes: for the conclusion and performance of a contract:

5.1.1. identification of the Client;

5.1.2. the conclusion of the contract;

5.1.3. the supply of products and provision of services;

5.1.4. Clients` service;

5.1.5. handling and processing of the objections, complaints;

5.1.6. billing administration.

5.2. The Processing of Personal data takes place on a Consent basis for the following purposes:

5.2.1. the improvement of services, developing new products and services;

5.2.2. advertising of services or commercial purposes;

5.2.3. the Client loyalty increasing, satisfaction measurements.

5.3. The Processing of Personal data for the following purposes takes place on the legitimate interests:

5.3.1. in order to protect the Client's and/or the Company`s interest;

5.3.2. to provide evidence relating to the contracts and their performance (recordings, submitted documents and other information);

5.3.3. prevent, limit and investigate dishonest or unlawful use of the services and products provided by the Company;

5.3.4. conduct commercial activity.

5.4. The Processing of Personal data for the purpose of providing information to public authorities and subjects of operational activities is carried out on the basis of the fulfilment of the obligations defined by the law, in cases and to the extent established by external regulations.

5.5. Where the Company intends to further process the Personal data for a purpose other than that for which the Personal data were collected, the Company shall provide the Client prior to that further processing with information on that other purpose and with any relevant further information.

6. Profiling and automated decision - making

6.1. Profiling means any form of automated processing of Personal data, through the use of Personal data for the purpose of assessing certain Client related personal aspects, in particular to analyse or predict aspects in relation to the Client's personal preferences, interests, behaviour, location.

6.2. For personal offering and marketing based profiling, which is done according to the Company’s legitimate interest, as well as for assigning of reward units (bonuses) for participation in the TORY GOLD marketing incentives program. The Company ensures that Clients can make their choices and use a convenient tool to manage their privacy settings.

6.3. The Company can apply automated decision - making regarding to the Client. The Client will be informed about such activities of the Company on a case-by-case basis, in accordance with regulatory enactments.

6.4. Automated decision - making that creates legal consequences for the Client may only be made in the course of the conclusion or execution of the agreement between the Company and the Client, or on the basis of the Client's Consent.

7. Recipients of Personal data

Personal data is shared with other recipients, such as:

7.1. Authorities (such as law enforcement authorities, tax authorities, supervision authorities and financial intelligence units etc.);

7.2. Auditors, legal and financial consultants, or any other processor authorized by the Company;

7.3. Debt collectors upon assignment of claims, courts, out-of-court dispute resolution body and bankruptcy or insolvency administrators;

7.4. Other persons related to provision of services of the Company (product suppliers, credit institutions and financial institutions, etc.).

8. Storage periods

8.1. Personal data will be processed no longer than necessary.

8.2. The storage period may be based on agreement with the Client, the legitimate interest of the Company or applicable law (such as laws related to bookkeeping, statute of limitations, civil law, etc.).

8.3. After the circumstances specified in clause 8.2. are terminated, the Client's Personal data is erased.

9. Client`s rights as a Data subject and its implementation

A Client as a Data subject has rights regarding his/her Personal data processing. In general, such rights are needed to:

9.1. Require his/her Personal data to be corrected if it is inadequate, incomplete or incorrect;

9.2. Object to Processing of his/her Personal Data, if the use of Personal data isn’t based on legitimate interests, including profiling for direct marketing purposes (such as receiving marketing offers or participating in surveys);

9.3. Require the erasure of his/her Personal data, for example, that is being processed based on the consent, if he/she has withdrawn the Consent. Such right does not apply if Personal data requested to be erased is being processed also based on other legal grounds such as agreement or obligations based on applicable law;

9.4. Restrict the processing of his/her Personal data under applicable law, e.g. during the time when the Company assesses whether the Client is entitled to have his/her data erased;

9.5. Receive information if his/her Personal data is being processed by the Company and if so then to access it;

9.6. Receive his/her Personal data that is provided by himself - herself and is being processed based on Consent or in order to perform an agreement in written or commonly used electronical format and, where feasible, transmit such data to another service provider (data portability);

9.7. Withdraw his/her Consent to process his/her Personal Data. The withdrawal of the Consent does not affect the Processing of Personal data performed at the time when the Client's consent was valid. Withdrawal of the Consent cannot interrupt the Processing of Personal data performed on the other legal basis;

9.8. Not to be subject to fully automated decision-making, including profiling, if such decision-making has legal effects or similarly significantly affects the Client. This right does not apply if the decision-making is necessary in order to enter into or to perform an agreement with the Client, if the decision-making is permitted under applicable law or if the Client has provided his/her explicit Consent;

9.9. Lodge complaints pertaining to the use of Personal data to the supervisory authority according to the article 77 of the GDPR, if he/she considers that Processing of his/her Personal data infringes his/her rights and interests under applicable law.

9.10. The Client may submit a request for the exercise of his or her rights regarding the Processing of Personal data, including information on possible Personal data protection breaches:

9.10.1. by e-mail, indicated the Client`s registration number and username to identify the Client, and send to e-mail [email protected];

9.10.2. on the Company's website www.torygold.com, in the created Client`s account.

9.11. Upon receiving the Client's request for the exercise of its rights, the Company verifies the Client's identity, evaluates the request and executes it in accordance with regulatory enactments.

9.12. The Company shall respond to the Client's request in writing or by other means, including, if necessary, in electronic form (by e-mail or by sending it to the Client's account) taking into account, as far as possible, the manner in which the Client is provided with the response. When requested by the Client, the information may be provided orally, provided that the identity of the Client is proven.

9.13. The Company shall provide information on action taken on a request to the Client without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Company shall inform the Client of any such extension within one month of receipt of the request, together with the reasons for the delay.

9.14. If the Company does not take action on the request of the Client, the Company shall inform the Client without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

10. Validity and amendments of the Policy

10.1. The Policy is provided to the Clients on www.torygold.com.

10.2. The Company is entitled to unilaterally amend the Policy at any time, in compliance with the applicable law, by notifying the Client of any amendments via website of the Company, via e-mails or in another manner.