Merchant DPA

1.1The Parties have entered (or will enter) into a commercial arrangement under which the Merchant uses the HopDrop API to book parcel deliveries to its customers (the "Services").

1.2In the course of providing the Services, HopDrop will Process Personal Information of the Merchant's customers (the "Data Subjects") on the Merchant's behalf.

1.3This DPA governs that Processing and incorporates the requirements of POPIA.

In this DPA, capitalised terms have the meanings given to them in POPIA. Without limiting that:

2.1"Personal Information" means information relating to an identifiable, living, natural person, including (where applicable) an identifiable, existing juristic person, as defined in section 1 of POPIA.

2.2"Processing" has the meaning given in section 1 of POPIA.

2.3"Responsible Party" and "Operator" have the meanings given in section 1 of POPIA. The Merchant is the Responsible Party; HopDrop is the Operator.

2.4"Security Compromise" means any incident referred to in section 22 of POPIA.

2.5"Sub-operator" means any third party engaged by HopDrop that Processes Personal Information on the Merchant's behalf.

3.1HopDrop Processes Personal Information solely to perform the Services and as instructed by the Merchant via the HopDrop API.

3.2Categories of Data Subjects: the Merchant's customers who are recipients of parcels delivered via HopDrop.

3.3Categories of Personal Information Processed:

1. Full name (recipient name);
2. Mobile phone number in E.164 format;
3. Email address (optional);
4. Delivery address (street, suburb, city, postal code, geocoded latitude/longitude);
5. Special delivery instructions;
6. The last four digits of the recipient's phone number, used at delivery as a verification challenge for parcels with declared value above ZAR 500 (configurable per Merchant);
7. Photographs taken at pickup and delivery, where the Parcel is the photograph subject and any incidental capture of the recipient is at the recipient's discretion.

3.4Purpose: route a parcel from the Merchant's pickup location to the Data Subject, verify identity at handover, communicate delivery status to the Data Subject, and resolve disputes.

HopDrop shall, in respect of all Personal Information Processed under this DPA:

4.1Process Personal Information only on the documented instructions of the Merchant (this DPA, the API contract, and any subsequent written instructions);

4.2treat Personal Information as confidential and ensure that personnel authorised to Process it are bound by confidentiality obligations;

4.3implement the security safeguards described in Annex A;

4.4assist the Merchant in fulfilling Data Subject rights requests received under POPIA (sections 23, 24, 25);

4.5notify the Merchant of any Security Compromise within 24 hours of HopDrop becoming aware, providing all information reasonably required for the Merchant to discharge its obligations under section 22 of POPIA;

4.6make available to the Merchant all information necessary to demonstrate compliance with this DPA, and permit the Merchant to audit such compliance once per year on 30 days' written notice (or more frequently following a confirmed Security Compromise affecting the Merchant's Personal Information);

4.7not retain Personal Information beyond the periods set out in Annex B unless required to do so by law (in which case HopDrop shall notify the Merchant of the retention requirement).

5.1The Merchant grants HopDrop a general authorisation to engage Sub-operators to assist with the Services, subject to the conditions in this clause.

5.2A current list of authorised Sub-operators is set out in Annex C. HopDrop will give the Merchant 30 days' written notice (by email to the Information Officer in clause 11.2) before adding or replacing a Sub-operator. The Merchant may object on reasonable grounds within that notice period.

5.3HopDrop shall impose, by written agreement with each Sub-operator, data-protection obligations no less protective than those in this DPA.

5.4HopDrop remains liable to the Merchant for the acts and omissions of its Sub-operators in respect of the Services.

6.1The Merchant acknowledges that, for the purposes of providing the Services, HopDrop transfers Personal Information to Sub-operators located outside the Republic of South Africa, as identified in Annex C.

6.2HopDrop warrants that each cross-border transfer satisfies one of the conditions in section 72 of POPIA, including (without limitation) that the recipient is bound by binding corporate rules, standard contractual clauses, or laws providing an adequate level of protection.

7.1Where HopDrop receives a Data Subject access, correction, or deletion request directly, it shall (i) acknowledge receipt to the Data Subject within 48 hours, (ii) forward the request to the Merchant's Information Officer within 72 hours, and (iii) take no further action without the Merchant's instruction except where law requires otherwise.

7.2The Merchant may execute a deletion / right-to-erasure request via DELETE /v1/customers/{phone}, which anonymises all PII tied to that phone number while retaining anonymised delivery records for HopDrop's own statutory obligations (clause 8).

8.1HopDrop shall delete or return Personal Information at the Merchant's instruction, subject to the retention periods in Annex B.

8.2HopDrop shall retain transactional records (parcel manifests, delivery proofs, and audit logs in anonymised form) for a minimum of 5 years as required by SA tax and consumer-protection legislation, unless a longer period is agreed in writing.

8.3On termination of the Services, HopDrop shall delete (or, at the Merchant's option, return) all live Personal Information within 30 days, retaining only the anonymised records permitted under clause 8.2.

9.1Each Party is liable for damages directly caused by its breach of this DPA, capped per Data Subject and in aggregate per calendar year at the limits set out in clause 9.2.

9.2Aggregate liability of either Party arising out of or in connection with this DPA in any calendar year is limited to the greater of (a) ZAR 500,000 or (b) the total fees paid or payable by the Merchant to HopDrop under the Services in the preceding 12 months.

9.3Neither Party is liable for indirect, consequential, or punitive damages. Nothing in this clause limits a Party's liability for fraud, gross negligence, or wilful misconduct, or any liability that cannot be excluded under law (including under POPIA).

10.1This DPA commences on the Effective Date and continues for as long as HopDrop Processes Personal Information for the Merchant.

10.2Either Party may terminate this DPA on written notice to the other if the other materially breaches this DPA and fails to remedy within 14 days of written demand.

10.3Termination of this DPA terminates HopDrop's authority to Process Personal Information for the Merchant. Clauses 4.7, 8, 9, and 12 survive termination.

11.1HopDrop Information Officer: appointed and registered with the Information Regulator. Contact: privacy@hopdrop.co.za.

11.2Merchant Information Officer:

12.1Governing law. This DPA is governed by South African law.

12.2Notices. By email to the Information Officer in clause 11, with confirmation of receipt.

12.3Variation. No amendment is effective unless in writing and signed by both Parties.

12.4Severability. If any clause is found unenforceable, the rest of this DPA remains in force.

12.5Conflict. In the event of conflict between this DPA and the Services agreement, this DPA prevails for matters relating to Personal Information.

12.6Counterparts. May be signed in counterparts and delivered electronically.