Data protection information, 2025

Thank you for visiting the website of Crofts Gears (Pty) Ltd (www.croftsgears.co.za and www.croftsgears.com) and for your interest in our company and products. The privacy and protection of your personal data is important to us and we take this into account in all our business processes. We process and treat the personal data collected when you visit our websites confidentially and in accordance with legal requirements.

This Privacy Policy describes how Crofts Gears (Pty) Ltd (the “Site”, “we”, “us”, or “our”) collects, uses, and discloses your information when you visit, use our services, or make a purchase from croftsgears.co.za and croftsgears.com (the “Site”) or otherwise communicate with us (collectively, the “Services”). For purposes of this Privacy Policy, “you” and “your” means you as the user of the Services, whether you are a customer, website visitor, or another individual whose information we have collected pursuant to this Privacy Policy.

Please read this Privacy Policy carefully. By using and accessing any of the Services, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree to this Privacy Policy, please do not use or access any of the Services.

Personal data

We do not collect any personal data (e.g. name, address, phone number or e-mail addresses) via our website, except if you voluntarily make such data available (e.g. by emailing us, registering, filling in a form or participating in a survey), or if you have agreed, or if corresponding legal regulations regarding the data protection permit the use of your data.

Any information that we may collect and use varies depending on how you interact with us. In addition to the specific uses set out below, we may use any information we collect about you to communicate with you, provide the Services, comply with any applicable legal obligations, enforce any applicable terms of service, and to protect or defend the Services, our rights, and the rights of our users or others.

Use of personal data and principles of purpose

The personal data you provide is usually used to respond to your queries, process your orders or allow you to access specific information or offers.

To maintain customer relationships it may also be necessary for us to store and process personal data to be able to respond to your needs more effectively and improve our products or services; or for us (or a third party on our behalf) to use this personal data, at your request, to contact you about our offers that may be useful for your business or to conduct online surveys to be able to better meet the requirements and demands of our customers.

Of course, we respect your decision not to allow us to use your personal data to support our customer relationship (in particular for direct marketing or marketing research purposes). We will neither sell your personal data to third parties nor market it in any other way.

We will only collect, process or use the personal data you provide online for the specified purposes, unless the collection, processing or use:

• is for another purpose directly related to the original purpose for which the personal data was collected
• is necessary to prepare, negotiate or fulfil a contract with you
• is required by law or the responsible governmental or judicial authorities
• is necessary to establish or protect a legal claim or for defence in the face of legal action.

We may disclose your personal information or any non-personal data to other parties, included to our related entities or partners, third party service providers who provide services and products to us or through us, and representatives, agents or contractors who are appointed by us in the ordinary course, operation, administration or promotion of our business. From time to time, these third parties may be located (and therefore your personal information or any non-personal data may be disclosed) overseas, including Australia, Canada, Germany, the United Kingdom, the United States of America, New Zealand, and Spain. We may use and disclose your personal information or any non-personal data for direct marketing purposes, unless you opt out. By providing your personal information, you agree to its use and disclosure in accordance with this Privacy Policy. If you do not agree, you must not provide your personal information, and we may not be able to undertake certain activities for you, such as providing you with requested information, products or services.

Automatically recorded information (non-personal data)

When you access our websites, we may automatically (i.e. without a registration process) record general non-personal information (e.g. type of Internet browser and operating system used, date and time of your visit, domain name of the website from which you accessed our site, number of visits, average time spent on the site, pages viewed).

Data is collected and saved on these websites for marketing and optimisation purposes using various applications and technologies. User profiles can be created under a pseudonym using this data. Cookies can be used for this purpose. Cookies are small text files that are stored locally in the clipboard of your Internet browser when you visit a website. Cookies enable a site to recognise the Internet browser again. Data collected using the various applications and technologies will not be used to personally identify visitors to this website and will not be combined with the personal data of the anonymous profile without the express permission of the respective individual.

We use this data to monitor the success of our websites and improve their performance or content.

Use of cookies

Crofts Gears (Pty) Ltd cookies

When you visit one of our websites, information in the form of a “cookie” may be saved on your computer, which will automatically recognise your computer the next time you visit our site. Cookies enable us, for instance, to adapt the viewing preferences and functions of our website to your interests, or to save your password so that you will not have to enter it again every time you visit our site. If you do not want us to recognise your computer, you can set up your Internet browser to delete cookies from your hard drive, block cookies or issue a warning before storing a cookie. It can, however, mean that individual functions and features on our website will no longer be available.

Third-party cookies

Some websites and applications feature content and services from other providers, which may use their own cookies and active components. Crofts Gears (Pty) Ltd has no influence on the way these providers process personal data. Please see the websites of these providers to find out about how they handle your data.

Information we obtain from Third Parties

Finally, we may obtain information about you from third parties, including from vendors and service providers who may collect information on our behalf, such as:

Companies who support our Site and Services

Our payment processors, who collect payment information (e.g., bank account, credit or debit card information, billing address) to process your payment in order to fulfil your orders and provide you with products or services you have requested, in order to perform our contract with you.

When you visit our Site, open or click on emails we send you, or interact with our Services or advertisements, we, or third parties we work with, may automatically collect certain information using online tracking technologies such as pixels, web beacons, software developer kits, third-party libraries, and cookies.

Any information we obtain from third parties will be treated in accordance with this Privacy Policy. We are not responsible or liable for the accuracy of the information provided to us by third parties and are not responsible for any third party’s policies or practices.

Facebook

Our websites may use functions (“plug-ins”) from the Facebook.com social network, which is run by Facebook Inc., Palo Alto, California, USA. The plug-ins are activated when you click the corresponding button. By activating this plug-in, you are connecting to Facebook and consenting to transmission of your data to Facebook. If you are logged in to Facebook, Facebook can assign the visit to our websites to your Facebook account. If you click the button, the relevant information from your browser will be sent straight to Facebook and stored there. You can find out about the purpose and scope of Facebook’s data collection, further processing and use of your data by Facebook, and your related rights and setting options for protecting your privacy by reading Facebook’s privacy policy. If you do not want Facebook to assign visits to our websites to your Facebook account, please log out of your Facebook account.

YouTube

Our websites may use the YouTube video platform, which is run by YouTube LLC, San Bruno, USA. YouTube is a platform that enables playback of audio and video files. Some of our website contain embedded YouTube videos. When you call up this type of website, the embedded YouTube video player connects to YouTube to ensure technical transmission of the video or audio file. Data is transmitted to YouTube when making a connection with YouTube. You can find out about the purpose and scope of the data collection, further processing and use of your data by YouTube, and your related rights and setting options for protecting your privacy by reading YouTube’s privacy policy.

Right to revoke permission

Permission for the collection and storage of your data can be revoked at any time with respect to subsequent services. You can revoke permission for the collection, processing and use of your personal data at any time with respect to subsequent services. In this case, please contact us. Personal data is deleted if you revoke permission for its storage, if your personal data is no longer required for the purpose for which it was originally stored, or if storage is no longer permissible for other legal reasons. This does not affect data required for billing and accounting purposes, or that has to be stored for legal reasons.

Safety

Crofts Gears (Pty) Ltd may implement technical and organisational security measures to protect your personal data against unintentional or unlawful deletion, alteration or loss as well as unauthorised disclosure or access but gives no guarantee of protection.

Use of external links

Our websites contain links to other websites. Crofts Gears is not responsible for the data protection policies or the content of other websites.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time, including to reflect changes to our practices or for other operational, legal, or regulatory reasons. We will post the revised Privacy Policy on the Site, update the date and take any other steps required by applicable law.

Contact

For information, suggestions and complaints regarding the processing of your personal data, please refer to the contact address specified on the Site. Should incorrect information be stored, despite our efforts to ensure that the data stored is accurate, we will correct this information at your request.

Notification of security compromise as per section 22 of the Protection of Personal Information Act, 4 of 2013 (“POPIA”)

Dear Stakeholder,

In July 2025, we discovered that a cyber-attack on a stakeholder organisation involving a Business Email Compromise (BEC) had occurred. As is common with cyber-attacks or a BEC of this nature, the bad actor responsible for this malicious conduct is not known to us. Another incident occurred at the end of July 2025, believed to be a separate incident, involving a malicious mail rule change to a specific email account, resulting in the dissemination of spam. This incident was quickly contained. This notice serves to inform you that certain personal information in South Africa, including business email addresses, may have been exposed or accessed.

We take the privacy and security of our stakeholders’ data seriously, and considerable measures have been taken to ensure the safety and integrity of our stakeholders’ information, including engaging the stakeholder organisation on this incident. We believe there is limited risk to data subjects in relation to the information that may have been accessed; however, we will continue to monitor the situation. As an added precaution, we recommend that you remain vigilant and review your security protocols, and remind your employees and colleagues to remain vigilant against BEC or phishing attempts. Please be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information, or make requests concerning a change in bank details. We strongly suggest that you undertake all due diligence. If you are unsure of the source of a communication or any information in that communication, including banking details, we strongly suggest that you telephone the relevant office or persons and verify that information prior to making payment. We regret any inconvenience which may have resulted from this incident.

Potential information that might have been accessed

For individuals, the data may include, where applicable, personal details such as your name, contact details, employment designation, or other information that you may have included in any business email communications.

For businesses, possible categories of information may include, where applicable, business name; registration and VAT numbers; contact and banking details; and information contained in contracts.

Steps that have been taken since the BEC occurred

As soon as we became aware of the BEC and mail rule change, we engaged our IT support to determine the scope of the BEC and take prompt action to ensure system security.

The BEC and mail rule change had been contained, but we remain vigilant and are closely monitoring all systems. To minimise the chances of any BEC in the future, we have and are implementing further measures to enhance the security of our network, systems and data. We are committed to continuous improvement and will continue to evaluate and implement additional available steps to further refine the security of our environment.

We have notified the South African Information Regulator and relevant parties as is required by Section 22 of POPIA.

Potential use of the information

Please be aware that access to personal information, including business email addresses, can create a heightened risk of criminals attempting to impersonate you or trick you into disclosing further information about yourself or your organisation. This could potentially be used by third parties in various ways to commit fraudulent scams, digital profile hacks, identity theft or to intercept your communications.

GENERAL Precautionary steps that can be taken

As a precaution, we advise following these security guidelines as good practice to protect yourself:

To mitigate against the risk of fraud, you can place a fraud alert on your credit report at any of the major credit bureaus.

You can register for a free Protective Registration listing with the Southern Africa Fraud Prevention Service to help protect you against the risks of compromised identity information at:https://www.safps.org.za/Home/OurServices_ApplyProtectiveRegistration)

Remain vigilant against any suspected unauthorised use of your personal information

Be cautious of any unsolicited communications that ask for your personal information or that refer you to a web page asking for personal information: fraudsters often pose as officials from trusted authorities like the police or banks.

Change your passwords regularly, do not use the same password for business and private activities and never share these with anyone else

Avoid clicking on links or downloading attachments from suspicious emails

Make sure your cyber training, particularly regarding malicious attacks (phishing, etc.), is up to date.

Call to verify banking or other information received, especially where there is a request to change banking details.

If you have any questions or require further assistance, please contact our offices.