1. Definitions

• Applicable Data Protection Laws: POPIA (South Africa) and, where applicable, UK GDPR, EU GDPR, and associated laws.
• Controller / Responsible Party: The Organisation.
• Processor / Operator: Plentii.
• Personal Data / Personal Information: as defined under Applicable Data Protection Laws.
• Processing: any operation performed on Personal Data, including collection, storage, use, disclosure, deletion.

2. Roles and scope

2.1 The Organisation is the Controller/Responsible Party of any Personal Data it provides or makes available to Plentii.

2.2 Plentii acts as Processor/Operator when processing Personal Data on behalf of the Organisation to provide the Platform services.

2.3 Where Plentii independently determines purposes and means (e.g., platform security, fraud prevention, aggregated analytics), Plentii may act as an independent Controller for that limited processing.

3. Processing details

3.1 Subject matter: Operating the Platform; facilitating matching, scheduling, and follow-up.

3.2 Duration: For the term of the account plus retention as in Section 10.

3.3 Nature/purpose: Hosting profiles/briefs, communications, scheduling, session support, support tickets, platform analytics, safeguarding, and security.

3.4 Categories of data subjects: Organisation staff, volunteers, and (only if provided) other stakeholders.

3.5 Types of Personal Data: Names, emails, role titles, organisational information, session notes, and any data uploaded by the Organisation (subject to Section 6 of the Terms).

3.6 Special category data: Not required and not intended. Organisation must not provide it unless explicitly agreed in writing with safeguards.

4. Plentii obligations

Plentii will:

4.1 Process Personal Data only on documented instructions from the Organisation (including these Terms), unless required by law.

4.2 Ensure personnel and contractors are bound by confidentiality.

4.3 Implement appropriate technical and organisational measures to protect Personal Data (access controls, least privilege, encryption in transit where feasible, backups, vendor due diligence).

4.4 Assist the Organisation (taking into account the nature of Processing) with:

• data subject requests (access, deletion, correction) where applicable,
• security and breach notifications,
• DPIAs/impact assessments where reasonably required.

5. Organisation obligations

The Organisation will:

5.1 Ensure it has a lawful basis to collect and share Personal Data with Plentii and Volunteers.

5.2 Not provide special category/highly sensitive data unless explicitly agreed.

5.3 Provide instructions that are lawful and consistent with Applicable Data Protection Laws.

6. Sub-processors

6.1 The Organisation authorises Plentii to use sub-processors (e.g., hosting, email, scheduling, CRM, note-taking tools).

6.2 Plentii will maintain an up-to-date list of sub-processors.

6.3 Plentii will impose data protection obligations on sub-processors that are no less protective than this DPA.

7. Cross-border transfers

7.1 Personal Data may be processed in the UK, EU, South Africa, and other locations where Plentii or sub-processors operate.

7.2 Plentii will ensure cross-border transfers comply with Applicable Data Protection Laws, including:

• POPIA Section 72 requirements; and
• where GDPR applies, appropriate safeguards (e.g., SCCs / UK IDTA or equivalent mechanisms).

8. Security incidents and breach notification

8.1 Plentii will notify the Organisation without undue delay upon becoming aware of a Personal Data breach affecting Organisation data.

8.2 Plentii will provide reasonable information to support the Organisation's legal obligations (including notifying regulators/data subjects where required).

9. Data subject requests

9.1 If Plentii receives a request from a data subject relating to Organisation data, Plentii will (where lawful) direct the request to the Organisation.

9.2 Plentii will provide reasonable assistance to enable the Organisation to respond within required timelines.

10. Retention and deletion

10.1 Plentii will retain identifiable Personal Data for the duration of the Organisation's account and for up to 180 days after deactivation/termination unless:

• a longer period is required by law, or
• necessary for dispute resolution, fraud prevention, safeguarding, or security.

10.2 Where call recordings and/or automated notes are enabled, Plentii will store recordings/notes for up to 180 days, unless earlier deletion is requested or a longer period applies under the exceptions above.

10.3 On request, Plentii will delete or return Organisation Personal Data within a reasonable timeframe, subject to legal and security constraints.

10.4 Plentii may retain anonymised/aggregated data that does not identify individuals or the Organisation.

11. Audit and information rights

11.1 On reasonable request, Plentii will provide information necessary to demonstrate compliance with this DPA.

11.2 The parties will agree a reasonable scope and timing for any audit, and audits will not unreasonably disrupt Plentii operations.

12. Order of precedence

If there is a conflict between the Organisation Terms and this DPA regarding data processing, this DPA prevails for those data processing issues.

13. Contact

Privacy + Security queries: support@plentii.world