PROPCHAT — OPERATOR AGREEMENT =============================================================================== Last updated: 2026-05-06 Version: 2026-05-06-cold-outreach-draft *** DRAFT — PENDING LAWYER REVIEW. NOT YET EFFECTIVE. *** This Operator Agreement is the written contract required by POPIA Sections 20 and 21, governing PropChat's processing of personal information on behalf of the Agency. It forms part of the Terms of Service at https://propchat.co.za/legal/terms and is incorporated by reference into the Agency's subscription contract. The HTML canonical version is at https://propchat.co.za/legal/operator-agreement. This text version is provided for the Agency's records. ------------------------------------------------------------------------------- 1. ROLES UNDER POPIA ------------------------------------------------------------------------------- For end-customer personal information processed through PropChat: - The Agency is the Responsible Party (POPIA s1). - PropChat is the Operator (POPIA s1). The Agency determines the purpose and means of processing, subject to the constraints of the PropChat software. PropChat processes only on the Agency's documented instructions, expressed through the Agency's ordinary use of the service. For Agency-facing data (agent accounts, billing, support communications), PropChat is the Responsible Party. See the Privacy Policy at https://propchat.co.za/legal/privacy. ------------------------------------------------------------------------------- 2. SUBJECT MATTER AND DURATION ------------------------------------------------------------------------------- Subject matter: WhatsApp messaging delivery, contact management, campaign delivery, the unified inbox, the rule-based chatbot flow engine, audit logging, and related SaaS functionality on the Agency's behalf. Duration: The term of the Agency's subscription, plus the 90-day post-cancellation deletion window described in Section 11. ------------------------------------------------------------------------------- 3. NATURE AND PURPOSE OF PROCESSING ------------------------------------------------------------------------------- Delivery of WhatsApp messages, receipt and storage of replies, logging of delivery and read status, storage of contact lists and consent records, aggregation of analytics, enforcement of platform-level safeguards, and automated rule-based chatbot flows for lead qualification. ------------------------------------------------------------------------------- 4. TYPES OF PERSONAL INFORMATION ------------------------------------------------------------------------------- - Phone numbers (E.164) of end-customers - Names and surnames of end-customers - South African ID numbers (where supplied via Loom imports) - Physical addresses, suburbs, property attributes - Email addresses (optional) - WhatsApp profile display names - Message content (inbound and outbound) - Message timestamps, delivery and read receipts, error codes - Opt-in, opt-out, and repermission event records - Campaign interaction metadata - Lawful-basis attestation records ------------------------------------------------------------------------------- 5. CATEGORIES OF DATA SUBJECTS ------------------------------------------------------------------------------- - End-customers of the Agency, primarily property owners and prospective sellers / buyers in the Agency's operating areas. - Other contacts the Agency has lawfully obtained for direct marketing. ------------------------------------------------------------------------------- 6. PROPCHAT'S OBLIGATIONS AS OPERATOR (POPIA s20-21) ------------------------------------------------------------------------------- PropChat will: (a) Process personal information only with the knowledge or authorisation of the Agency, and only on the Agency's documented instructions, except as required by law. (b) Implement and maintain appropriate, reasonable technical and organisational security measures as required by POPIA s19. Specific safeguards: encryption-at-rest for sensitive credentials (Fernet-symmetric encryption of WABA access tokens and 2FA PINs), HTTPS-only public surfaces, signed webhooks (HMAC-SHA256 with strict-mode rejection of unsigned or bad-signature payloads), per-tenant isolation of contact and message data, audit logging of administrative actions. (c) Treat personal information as confidential and ensure that any personnel authorised to process it are bound by confidentiality obligations. (d) Notify the Agency without undue delay on becoming aware of any security compromise affecting the Agency's data. (e) Assist the Agency, on reasonable request and at the Agency's cost where non-trivial work is required, in responding to data subject requests, regulator investigations, and breach notifications. (f) Make available information reasonably necessary for the Agency to demonstrate compliance with its own POPIA obligations. (g) Not engage a subprocessor for the processing of end-customer personal information without the Agency's general prior authorisation, which is given for the subprocessors in Section 8 below. Notice of changes: at least 30 days before adding or replacing a material subprocessor. (h) On termination, return or delete end-customer personal information per Section 11 below. ------------------------------------------------------------------------------- 7. AGENCY'S OBLIGATIONS AS RESPONSIBLE PARTY ------------------------------------------------------------------------------- The Agency warrants that: (a) It has a valid lawful basis under POPIA s11 for every piece of personal information it imports, generates, or processes through PropChat -- typically consent under s11(1)(a), contract under s11(1)(b), or legitimate interest under s11(1)(f) read with s69(3) for direct marketing where there is a documented relationship. (b) It maintains verifiable records of that lawful basis for at least 3 (three) years, in a form sufficient to satisfy a request from the Information Regulator. (c) It has informed its end-customers in a POPIA-compliant privacy notice of the processing carried out through PropChat, including the fact that PropChat acts as Operator. (d) It will respond to end-customer data subject requests under POPIA s23-s25 within the timeframes set by POPIA, in its capacity as Responsible Party. (e) It will not instruct PropChat to process personal information in a manner that would breach POPIA, the WhatsApp Business Messaging Policy, or any other applicable law. Such instructions are deemed null and not part of the Agency's "documented instructions" under Section 1. (f) Lawful-basis attestations submitted at import time are true and complete to the best of the attesting agent's knowledge. ------------------------------------------------------------------------------- 8. AUTHORISED SUBPROCESSORS ------------------------------------------------------------------------------- - Meta Platforms Ireland Ltd / Meta Platforms Inc. Purpose: WhatsApp Business Platform message delivery and webhook ingress. Location: Ireland (controller); United States (global delivery). - PayFast (Pty) Ltd Purpose: Subscription billing for Agency-facing payments only. No end-customer personal information passes to PayFast. Location: South Africa. - VPS infrastructure provider Purpose: Hosting of the PropChat application and database. Location: South Africa (Cape Town-region datacentre). ------------------------------------------------------------------------------- 9. CROSS-BORDER TRANSFERS ------------------------------------------------------------------------------- The Agency acknowledges and authorises that end-customer personal information will be transferred to Meta Platforms Ireland Limited and to its affiliates (including Meta Platforms, Inc. in the United States) as part of the WhatsApp Business Platform delivery infrastructure. The transfer is performed under Meta's Standard Contractual Clauses (see https://www.whatsapp.com/legal/business-data-transfer-addendum) and is justified under POPIA s72(1)(a) and s72(1)(c). ------------------------------------------------------------------------------- 10. ASSISTANCE WITH DATA SUBJECT REQUESTS ------------------------------------------------------------------------------- If an end-customer contacts PropChat directly to exercise a right under POPIA s23-s25, we will: - Identify the Agency that processes the data; - Forward the request to the Agency without undue delay; - Confirm receipt to the data subject; - Where the Agency does not respond within a reasonable period, follow up with the Agency. PropChat does not itself answer the substantive request -- that is the Agency's role as Responsible Party. ------------------------------------------------------------------------------- 11. RETURN OR DELETION AT END OF SERVICE ------------------------------------------------------------------------------- On termination or expiry of the subscription, subject to the Agency's election: Export: The Agency may request a CSV export of its contact lists, message history, and audit trail within 30 days of cancellation. First export is provided at no charge. Deletion: PropChat will delete all end-customer personal information processed as Operator within 90 days of cancellation, except where retention is required by law (notably tax records under SARS retention rules). The Do Not Contact list is retained indefinitely at the phone-number level (no PII beyond the number) so that opt-outs are honoured across future subscriptions by any agency using PropChat. ------------------------------------------------------------------------------- 12. AUDIT RIGHTS ------------------------------------------------------------------------------- The Agency may, on at least 30 days' written notice and no more than once per calendar year, request a written summary of PropChat's technical and organisational measures. For agencies under regulator investigation, additional audit access may be agreed in writing on a per-case basis. The Agency bears its own costs. ------------------------------------------------------------------------------- 13. NOTICE OF CHANGES ------------------------------------------------------------------------------- PropChat may update this Agreement from time to time. Material changes will be notified by email at least 30 days before taking effect, with a banner on the Agency's dashboard and a re-acceptance gate at next sign-in. If the Agency does not agree, it may cancel before the change takes effect. ------------------------------------------------------------------------------- 14. EFFECTIVE DATE ------------------------------------------------------------------------------- This Agreement is effective as of 2026-05-06, version 2026-05-06-cold-outreach-draft. ------------------------------------------------------------------------------- 15. CONTACT ------------------------------------------------------------------------------- Operator-side contact (PropChat): Information Officer: Willem Reynders Email: privacy@propchat.co.za Postal: SA FitFoodz (Pty) Ltd 77 Walter Sisuku Street, Potchefstroom, North West, South Africa =============================================================================== End of Operator Agreement. ===============================================================================