Privacy Policy

For the purposes of this Privacy Policy, unless the context otherwise requires, the following terms shall have the meanings assigned to them:

• “Data Subject” means the natural person to whom the personal information relates, being any user of this website or any individual whose personal information is processed by Ubuntu Harmony Foundation.
• “Information Officer” means the person appointed by Ubuntu Harmony Foundation in terms of section 55 of POPIA, responsible for overseeing data protection compliance.
• “Operator” means any third party that processes personal information on behalf of Ubuntu Harmony Foundation in terms of a written agreement.
• “Personal Information” has the meaning ascribed thereto in section 1 of POPIA, including but not limited to information relating to race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, birth, education, medical, financial, criminal or employment history, any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or biometric information.
• “Processing” means any operation or activity concerning personal information, including collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, consultation, use, dissemination, distribution, making available, merging, linking, blocking, erasure, or destruction.
• “Responsible Party” means Ubuntu Harmony Foundation, being the entity that determines the purpose and means for processing personal information.
• “Special Personal Information” means personal information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, or biometric information of a Data Subject, as defined in POPIA.

Ubuntu Harmony Foundation is a duly registered Non-Profit Organisation under the Non-Profit Organisations Act 71 of 1997 (Registration Number: 334-185-NPO) and a company incorporated under the Companies Act (Registration Number: 2025/287672/08), recognised by the South African Revenue Service as a Public Benefit Organisation compliant with sections 30 and 18A of the Income Tax Act 58 of 1962.

This Privacy Policy is drafted and implemented in strict compliance with the Protection of Personal Information Act 4 of 2013 (POPIA), the Electronic Communications and Transactions Act 25 of 2002, the Promotion of Access to Information Act 2 of 2000, and all other applicable South African legislation governing the processing of personal information.

As the Responsible Party, Ubuntu Harmony Foundation is legally obligated to process personal information in a manner that is lawful, reasonable, and justifiable, giving due consideration to the legitimate interests, rights, and freedoms of Data Subjects.

We collect and process only such personal information as is necessary for the lawful functioning of our organisation and the fulfilment of our stated objectives. The categories of personal information processed include, without limitation:

3.1 Information Voluntarily Provided by Data Subjects

• Donor Information: Full name, identity or passport number, residential or business address, contact telephone numbers, e-mail addresses, banking or payment card details, and donation history.
• Volunteer and Employment Information: Curriculum vitae, qualifications, employment history, professional certifications, identity documents, reference details, and background verification data.
• Program Interest Data: Demographic data, educational background, financial circumstances, household composition, and expressed areas of interest provided by individuals who register for updates on future Ubuntu Harmony Foundation programs.
• Event and Communication Data: Names, contact details, dietary requirements, accessibility needs, and preferences indicated in correspondence or registration forms.
• Newsletter Subscribers: E-mail addresses, names, and stated areas of interest.

3.2 Automatically Collected Technical Information

• Device and Connection Data: Internet Protocol (IP) addresses, browser type and version, operating system, device identifiers, and geolocation derived from IP addresses.
• Usage Metadata: Uniform Resource Locators (URLs) visited, timestamps of visits, duration of page engagement, clickstream data, and referral source analytics.
• Tracking Technologies: Information collected through HTTP cookies, session tokens, web beacons, pixel tags, and similar technologies as further detailed in section 10 below.

3.3 Information Received from Third Parties

We may receive personal information from payment processors, banking institutions, referral partners, social media platforms, public databases, and law enforcement agencies, provided that such receipt is lawful and that the third party has obtained the requisite consent or has another lawful basis for disclosure.

In terms of section 11 of POPIA, personal information may only be processed if the processing is adequate, relevant, and not excessive, having regard to the purpose for which it is processed. The purposes for which we process personal information are:

• Donation Administration: To receive, process, record, and acknowledge monetary and in-kind donations; to issue section 18A tax deduction certificates; to maintain donation registers as required by SARS; and to comply with auditing and financial reporting obligations.
• Program Delivery and Preparation: To assess eligibility criteria, maintain waitlists for, and plan the future rollout of educational, health, empowerment, and community development programs scheduled to commence in 2026.
• Communication and Relationship Management: To disseminate newsletters, annual reports, impact assessments, event invitations, and fundraising appeals; to respond to enquiries and complaints; and to manage stakeholder relationships.
• Operational Improvement: To conduct internal research, impact evaluation, statistical analysis, and quality assurance in respect of our programs and services.
• Legal and Regulatory Compliance: To fulfil obligations imposed by the NPO Act, the Companies Act, the Income Tax Act, the Labour Relations Act, and other applicable legislation; to respond to subpoenas, court orders, or regulatory directives; and to co-operate with law enforcement agencies.
• Risk Management and Security: To detect, investigate, and prevent fraud, cyberattacks, unauthorised access, and other unlawful activities; to enforce our terms and conditions; and to protect the rights, property, and safety of Ubuntu Harmony Foundation, its staff, beneficiaries, and the public.

We shall not process personal information for a purpose other than that for which it was originally collected, unless such further processing is compatible with the original purpose, the Data Subject consents, or the processing is required by law.

The processing of personal information by Ubuntu Harmony Foundation is justified on one or more of the following lawful grounds, as contemplated in section 11 of POPIA:

• Consent: The Data Subject has provided voluntary, specific, and informed consent, evidenced by affirmative action, for the processing of personal information for one or more specified purposes. Consent may be withdrawn at any time, without affecting the lawfulness of processing based on consent prior to withdrawal.
• Contractual Necessity: Processing is necessary for the conclusion or performance of a contract to which the Data Subject is a party, or in order to take steps at the request of the Data Subject prior to entering into a contract.
• Legal Obligation: Processing is necessary for compliance with a legal obligation to which Ubuntu Harmony Foundation is subject, including statutory reporting, tax compliance, and regulatory filings.
• Legitimate Interests: Processing is necessary for pursuing the legitimate interests of Ubuntu Harmony Foundation as a public benefit organisation, or those of a third party to whom the information is supplied, provided that the fundamental rights and freedoms of the Data Subject do not override such interests.
• Public Interest: Processing is necessary for the proper performance of a public law duty by a public body, or in the interests of national security.
• Protection of Data Subject: Processing is necessary to protect the legitimate interests of the Data Subject, including where the Data Subject is physically or legally incapable of giving consent.

Ubuntu Harmony Foundation treats all personal information as strictly confidential. We do not sell, rent, lease, or otherwise commercialise personal information. Disclosure of personal information to third parties occurs solely in the following circumstances and subject to the safeguards described below:

6.1 Disclosure to Operators

We may engage Operators to process personal information on our behalf. Such Operators include, without limitation, payment gateway providers, cloud hosting services, customer relationship management platforms, e-mail marketing services, and accounting firms. Every Operator is bound by a written agreement that:

• Establishes the specific processing instructions and limitations applicable to the personal information;
• Requires the Operator to treat the information as confidential and to implement appropriate technical and organisational security measures;
• Prohibits the Operator from engaging sub-processors without our prior written authorisation;
• Requires the Operator to notify us without undue delay of any actual or suspected data breach;
• Provides for the return or secure destruction of personal information upon termination of the agreement.

6.2 Disclosure for Legal or Regulatory Reasons

We may disclose personal information where required or permitted by law, including in response to valid court orders, subpoenas, warrants, or directives from regulatory authorities; to enforce our legal rights; to protect the safety and security of individuals; or to prevent or investigate fraud, money laundering, or other unlawful conduct.

6.3 Disclosure with Consent

Where a Data Subject has provided explicit consent, we may share personal information with partner organisations, academic institutions, funding bodies, or government departments for joint program implementation, research, or reporting purposes, strictly within the scope of the consent granted.

6.4 Business Succession

In the event of a merger, amalgamation, restructuring, or transfer of assets, personal information may be transferred to a successor entity, provided that the successor assumes the obligations of this Privacy Policy and continues to process the information in accordance with POPIA.

In fulfilment of our obligations under section 19 of POPIA, Ubuntu Harmony Foundation has implemented and maintains appropriate, reasonable technical and organisational measures to secure the integrity and confidentiality of personal information in our possession or under our control.

These measures include, but are not limited to:

• Encryption: All data transmitted between your browser and our servers is protected using Transport Layer Security (TLS 1.2 or higher). Sensitive data at rest is encrypted using industry-standard algorithms.
• Access Control: Access to personal information is granted exclusively on a need-to-know basis, governed by role-based permissions, multi-factor authentication, and unique user credentials.
• Network Security: Firewalls, intrusion detection systems, and regular vulnerability scanning are deployed to protect against unauthorised network access.
• Physical Security: Servers and backup media are housed in secure, access-controlled facilities with environmental monitoring and redundant power.
• Personnel Protocols: All staff, volunteers, and contractors with access to personal information are bound by confidentiality undertakings and receive regular data protection training.
• Incident Response: A documented data breach response plan is maintained, providing for the identification, containment, assessment, notification, and remediation of security incidents.
• Regular Audits: Independent security assessments, penetration testing, and compliance audits are conducted at least annually.

Notwithstanding the above, no security system is impenetrable. Ubuntu Harmony Foundation cannot guarantee the absolute security of information transmitted over the internet. Data Submits transmit information at their own risk, and we encourage the use of strong passwords and secure devices.

Personal information is retained only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Once the retention period has expired, or upon lawful request by the Data Subject, personal information is securely destroyed, deleted, or de-identified in accordance with POPIA and our internal records management policy.

Indicative retention periods are as follows:

• Donation and Financial Records: Minimum of five (5) years from the date of the transaction, as prescribed by the Tax Administration Act 28 of 2011 and SARS requirements.
• Section 18A Tax Certificates: Minimum of five (5) years from the date of issuance.
• Volunteer and Employment Records: Duration of the engagement plus three (3) years, or longer where required by labour legislation.
• Future Program Interest Records: Retained for the duration of the Foundation's planning and rollout phase, or until the Data Subject withdraws interest, after which records are securely destroyed within ninety (90) days.
• Newsletter Subscriptions: Until the Data Subject unsubscribes or withdraws consent, after which the e-mail address is deleted within thirty (30) days.
• Website Analytics and Log Data: Retained in identifiable form for twenty-six (26) months, after which it is anonymised or destroyed.
• General Correspondence: Two (2) years from the date of resolution or final response.

Destruction methods include secure digital shredding, cryptographic erasure, and physical shredding of paper records, as appropriate to the medium.

POPIA grants Data Subjects a comprehensive suite of rights in respect of their personal information. Ubuntu Harmony Foundation recognises and upholds the following rights:

• Right of Access (Section 23): A Data Subject has the right to request confirmation of whether we hold personal information about them, and to request a description of such information, the identity of third parties who have had access to it, and the purposes of processing.
• Right to Rectification (Section 24): A Data Subject may request the correction, updating, or completion of inaccurate, incomplete, or misleading personal information.
• Right to Erasure (Section 24): A Data Subject may request the deletion or destruction of personal information that is no longer necessary for the purpose for which it was collected, or where the processing was unlawful.
• Right to Object to Processing (Section 11(3)): A Data Subject may object, on reasonable grounds, to the processing of personal information. We shall cease processing unless justified by law or the legitimate interests of the Responsible Party.
• Right to Object to Direct Marketing (Section 11(2)): A Data Subject may at any time, without justification, object to the processing of their personal information for direct marketing purposes and withdraw consent for electronic marketing.
• Right to Lodge a Complaint (Section 74): A Data Subject who is aggrieved by a decision or action of Ubuntu Harmony Foundation may lodge a complaint with the Information Regulator of South Africa.
• Right to Civil Remedies (Section 99): A Data Subject who suffers damage as a result of a breach of POPIA may institute civil proceedings for damages in a court of competent jurisdiction.

To exercise any of the foregoing rights, a Data Subject must submit a written request to our Information Officer, providing sufficient detail to identify the information in question and the right being invoked. We shall respond within a reasonable period, not exceeding forty (40) business days, and may charge a reasonable fee for manifestly unfounded or excessive requests.

Our website employs cookies, web beacons, and analogous tracking technologies to enhance functionality, analyse traffic patterns, and improve user experience. A “cookie” is a small text file placed on your device that enables the website to recognise your browser and store certain preferences.

The categories of cookies deployed on this website are:

• Strictly Necessary Cookies: Essential for the operation of the website, including session management, security authentication, and load balancing. These cannot be disabled without impairing core functionality.
• Performance and Analytics Cookies: Collect aggregated, anonymised information about how visitors interact with the website, enabling us to measure and improve performance. These include cookies deployed by Google Analytics and similar platforms.
• Functional Cookies: Remember choices you make (such as language preference or region) to provide enhanced, personalised features.
• Marketing and Targeting Cookies: Track browsing habits to deliver relevant content and measure the effectiveness of our communications. These are deployed only with your explicit consent.

Upon your first visit, you will be presented with a cookie consent banner allowing you to accept or decline non-essential cookies. You may modify your preferences at any time through your browser settings. Please note that disabling cookies may affect the functionality and performance of the website.

For comprehensive guidance on managing cookies, consult the documentation for your specific browser or visit www.allaboutcookies.org.

This website may contain hyperlinks to third-party websites, social media platforms, payment gateways, and external services. Ubuntu Harmony Foundation does not control, endorse, or assume responsibility for the privacy practices, content, or security of any third-party website.

We strongly encourage Data Subjects to review the privacy policies of any external website before submitting personal information. This Privacy Policy applies exclusively to information collected, processed, and stored by Ubuntu Harmony Foundation.

In terms of section 34 of POPIA, the personal information of a child may only be processed with the prior consent of a parent or legal guardian, unless the processing is necessary for the protection of the child, for the proper performance of a public law duty, or in compliance with a legal obligation.

Our website is not directed at children under the age of 18, and we do not knowingly collect personal information from children through this website without verified parental or guardian consent.

Where our programs require the collection of a child's personal information (for example, in educational or health interventions), we obtain written consent from the parent or legal guardian, implement enhanced security measures, and restrict access to authorised personnel only. If we become aware that we have collected personal information from a child without valid consent, we shall take immediate steps to delete such information.

Personal information collected by Ubuntu Harmony Foundation is primarily stored and processed within the Republic of South Africa. However, certain of our Operators may be located in jurisdictions outside South Africa, including but not limited to cloud service providers with data centres in the European Union, the United States, or other territories.

In terms of section 72 of POPIA, we shall not transfer personal information across borders unless:

• The recipient country or international organisation is subject to laws, binding corporate rules, or agreements that provide an adequate level of protection substantially similar to POPIA;
• The Data Subject has consented to the transfer;
• The transfer is necessary for the performance of a contract between the Data Subject and the Responsible Party, or for the implementation of pre-contractual measures taken at the Data Subject's request;
• The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Responsible Party and a third party;
• The transfer is necessary for the protection of the Data Subject's vital interests; or
• The transfer is necessary for the pursuit of legitimate interests of the Responsible Party, provided it does not prejudice the rights and freedoms of the Data Subject.

Where cross-border transfers occur, we ensure that appropriate safeguards are in place, including standard contractual clauses, adequacy assessments, and data processing agreements that require the recipient to maintain confidentiality and security standards comparable to those required by POPIA.

In compliance with sections 22 and 23 of POPIA, Ubuntu Harmony Foundation maintains a data breach response protocol. In the event of an actual or reasonably suspected unauthorised access to, acquisition of, or disclosure of personal information, we shall:

• Conduct an immediate investigation to assess the nature, scope, and severity of the breach;
• Take all reasonable steps to contain the breach, restore the integrity of our systems, and prevent further unauthorised access;
• Notify the Information Regulator without undue delay, and where feasible, within a reasonable period after discovery of the breach;
• Notify affected Data Subjects where the breach is likely to result in serious risk to their rights and freedoms, providing clear and plain language descriptions of the breach, the categories of information involved, the steps taken, and recommended remedial measures;
• Document all breaches, including the facts, effects, and remedial action taken, and make such documentation available to the Information Regulator upon request.

Ubuntu Harmony Foundation reserves the right to amend, modify, or update this Privacy Policy at any time to reflect changes in our information practices, legal obligations, or operational requirements.

Material changes shall be communicated to Data Subjects via e-mail (where contact details are available) or through a prominent notice on the homepage of this website, at least thirty (30) days before the changes take effect, except where earlier implementation is required by law.

The “Last Updated” date at the top of this document indicates when the most recent revisions were made. Continued use of this website after changes have been posted constitutes acceptance of the amended Privacy Policy.

For all enquiries, requests, complaints, or notifications relating to this Privacy Policy or our data protection practices, please contact our Information Officer:

NPO Registration Number: 334-185-NPO
Company Registration Number: 2025/287672/08
SARS-Compliant Public Benefit Organisation (PBO)
Section 18A Approved for Tax-Deductible Donations

Information Regulator of South Africa

Data Subjects who remain dissatisfied with our response may lodge a formal complaint with:

By accessing this website, submitting personal information, or engaging with Ubuntu Harmony Foundation in any capacity, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy. You further confirm that you are legally competent to provide consent, or that you act with the authority of a parent, legal guardian, or duly authorised representative, as applicable.

If you do not agree with any provision of this Privacy Policy, you must immediately discontinue use of this website and refrain from submitting personal information to Ubuntu Harmony Foundation.