This Privacy Policy applies to anyone who interacts with Simplify, including:

• clients and client representatives;
• candidates and employees whose personal information is processed through our Platforms;
• contractors, consultants, and service providers;
• visitors to our websites and digital platforms.

Depending on the circumstances, Simplify may act as either a responsible party or an operator (as those terms are defined in POPIA), or as a controller or processor under the GDPR. Where we act as an operator or processor, we process personal information on behalf of our clients and in accordance with their instructions and our contractual obligations to them.

We aim to collect only the personal information that is reasonably necessary to provide our services effectively, lawfully, and securely. The types of personal information we collect depend on how you interact with Simplify and may include, among other things:

• contact details, such as name, email address, telephone number, and business details;
• employment, recruitment, or application-related information, including CVs, work history, qualifications, and assessment information;
• identification information, such as identity numbers or passport numbers, where required for lawful or contractual purposes;
• documents uploaded or generated through our Platforms, including contracts, compliance documents, and onboarding records;
• technical and usage information, such as log data, device information, IP addresses, and interactions with our Platforms.

In limited circumstances, we may also process special personal information (as defined in POPIA) or special categories of personal data (as defined in the GDPR), where this is necessary for lawful purposes and appropriate safeguards are in place.

We process personal information for specific, explicit, and lawful purposes. These include, but are not limited to:

• providing, operating, and maintaining our recruitment, onboarding, and employee management services;
• enabling our clients to manage their hiring and employee processes;
• communicating with users, clients, and service providers;
• complying with legal, contractual, regulatory, and governance obligations;
• protecting the security and integrity of our Platforms;
• improving our products, services, and user experience;
• managing our business operations and relationships.

Where required under applicable law, we rely on appropriate lawful bases for processing, such as consent, contractual necessity, legal obligation, legitimate interests, or other recognised grounds.

We do not sell personal information. We only share personal information where it is lawful and necessary to do so, including:

• with our clients, where we process information on their behalf;
• with trusted third-party service providers who assist us in operating our Platforms (such as cloud hosting, security, and support services), under appropriate confidentiality and data protection agreements;
• where required by law, regulation, or a lawful request by a public authority;
• where necessary to protect our rights, users, or the integrity of our Platforms.

All third parties with whom we share personal information are required to implement appropriate safeguards and to process personal information only for authorised purposes.

Simplify primarily processes and stores personal information in South Africa. However, in some cases, personal information may be transferred to, stored in, or accessed from other countries, including jurisdictions outside South Africa or the European Economic Area.

Where we transfer personal information internationally, we take reasonable steps to ensure that the recipient country or organisation provides an adequate level of protection, or that appropriate safeguards are in place. These may include contractual protections, recognised transfer mechanisms, or other lawful measures required under POPIA or the GDPR.

We take the security of personal information seriously and implement appropriate technical and organisational measures to protect it against loss, unauthorised access, misuse, or disclosure. These measures include access controls, secure infrastructure, and the use of reputable service providers that meet recognised security standards.

While we take reasonable steps to safeguard personal information, no system is completely secure, and we cannot guarantee absolute security.

We retain personal information only for as long as is reasonably necessary to fulfil the purposes for which it was collected, to comply with legal or contractual requirements, or to resolve disputes. Retention periods may vary depending on the nature of the information and the context in which it is processed.

Subject to applicable law, you have certain rights in relation to your personal information, including the right to:

• request access to your personal information;
• request correction or updating of inaccurate or incomplete information;
• request deletion of personal information, where legally permissible;
• object to or restrict certain types of processing;
• withdraw consent, where processing is based on consent.

Requests to exercise these rights can be directed to privacy@simplify.hr. We may need to verify your identity before responding to a request.

Clients, employees, and authorised users of our Platforms are responsible for:

• using personal information only for legitimate business purposes;
• keeping access credentials secure;
• ensuring that personal information is handled in accordance with applicable laws and internal policies;
• promptly reporting any suspected data breaches or security incidents.

This version of the privacy policy was updated on 26 January 2026 and replaces any preceding privacy policies.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. Any updates will be published on our Platforms, and material changes will be communicated where appropriate.