POPIA Compliance Notice

1. Purpose of This Notice

This POPIA Compliance Notice is issued by Bierkraal Mining Resources (Pty) Ltd ("BMR") in terms of the Protection of Personal Information Act, 2013 (POPIA). It informs you of your rights as a data subject and of BMR's obligations as the Responsible Party in terms of the lawful processing of your personal information.

2. Responsible Party

BMR is the Responsible Party as defined in POPIA, meaning we determine the purpose and means of processing personal information collected through our business activities, website, and stakeholder engagement programmes.

Registered Address: Office No. 14, Falah Centre, Waterfall Park, Rustenburg, North West, 0299, South Africa.

3. Information Officer

BMR has appointed an Information Officer as required by POPIA, with responsibility for ensuring compliance across all processing activities. Queries relating to the processing of personal information, or requests to exercise your rights, may be submitted to the Information Officer at our registered office address.

4. Conditions for Lawful Processing

BMR will only process your personal information if at least one of the following lawful grounds applies:

• Consent: You have voluntarily given consent to the processing for one or more specific purposes
• Contractual necessity: Processing is necessary for the performance of, or to enter into, a contract with you
• Legal obligation: Processing is required to comply with a legal or regulatory obligation binding on BMR
• Legitimate interest: Processing is necessary for the legitimate interests of BMR, balanced against your rights and interests
• Public interest: Processing is necessary for the proper performance of a public law duty by a public body

5. Rights of Data Subjects Under POPIA

As a data subject, you have the following rights in terms of POPIA:

• Right to notification — To be notified at the time of collection that your personal information is being collected and the purposes thereof
• Right of access — To request access to and a copy of the personal information BMR holds about you
• Right to correction or deletion — To request that inaccurate, incomplete, misleading, or outdated personal information be corrected or deleted
• Right to object — To object at any time to the processing of your personal information on reasonable grounds relating to your particular situation
• Right to complain — To submit a complaint to the Information Regulator if you believe your rights under POPIA have been infringed

6. How to Exercise Your Rights

To exercise any of your rights under POPIA, submit a written request to BMR's Information Officer at our registered office address. We will respond within a reasonable time and in accordance with POPIA's requirements.

Requests should include your full name, contact details, and a description of the personal information to which the request relates.

7. Information Regulator of South Africa

If you are dissatisfied with BMR's handling of your personal information or your request, you have the right to lodge a complaint with the Information Regulator:

• Email: inforeg@justice.gov.za
• Website: www.justice.gov.za/inforeg
• Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

8. Security Safeguards

BMR implements reasonable technical and organisational measures to secure the integrity and confidentiality of personal information in its possession or under its control. In the event of a security compromise or data breach, BMR will take steps to notify affected data subjects and the Information Regulator as required by POPIA.

9. Transborder Flows of Personal Information

BMR will not transfer personal information to a foreign country unless the recipient country has adequate data protection laws, or the recipient is bound by equivalent obligations, or you have consented to the transfer, in accordance with the requirements of POPIA.

10. Retention and Destruction

BMR retains personal information only for as long as is necessary for the purposes for which it was collected, or as required by law. Personal information that is no longer required is securely destroyed or de-identified in a manner that prevents reconstruction.