4AM CLUB — PRIVACY POLICY

Effective date: 1st of September 2025
Covers: The 4AM Club public website and the “4AM Club – Client Portal” mobile apps (Android & iOS).

Company (Data Controller)
4AM Club
6 Mariette Nook, Pretorius Park, Pretoria, South Africa
(+27)12 004 8302
support@4amclub.co.za

1. WHAT THIS POLICY COVERS
This Privacy Policy explains what personal information we collect, how we use it, the choices you have, and your rights under POPIA (South Africa), GDPR (EU/UK), CCPA/CPRA (California, USA), and CalOPPA. Some features require login; others (like the marketing site) can be viewed without logging in.

2. INFORMATION WE COLLECT
2.1 Information you provide

* Identity & contact: name, email, phone number, job title, age/date of birth.
* Credentials: password (stored hashed; never in plain text).
* KYC/FICA details: identity documents, proof of address, ID/passport numbers, and related verification artifacts (including selfie/liveness capture via camera where applicable).
* Communication preferences: opt-ins/opt-outs for marketing email/SMS. Transactional service emails may still be sent.
* Payments: amounts, plan, billing status. Card data is handled by payment processors; we do not store full card numbers.

2.2 Device & usage data (automatic)

* Log data: app/website interactions, device type, OS version, browser, language, IP address, timestamps.
* Cookies, session, and local storage: used for authentication, session security, preferences, and app state.
* Analytics: Google Analytics for aggregate usage and performance insights.

2.3 Optional mobile permissions (app)

* Camera: for document capture and (where applicable) identity verification/selfie.
* Photo library: to upload documents or profile images.
* Contacts (future): may be requested if we add sharing/invite features (disabled by default).
* Geolocation: not used at this time.
Permissions are requested at runtime; you can change them in device settings. Some features may not work without the relevant permission.

3. HOW WE USE YOUR INFORMATION (PURPOSES & LEGAL BASES)

* Provide and secure the service: account creation, authentication, session management, fraud/abuse detection, customer support.
Legal basis: contract performance; legitimate interests; legal obligation (security).
* KYC/FICA compliance: verify identity and maintain required records.
Legal basis: legal obligation (e.g., FICA/AML); public interest; consent where required (e.g., biometric capture).
* Payments: process one-time and recurring payments, invoices, receipts.
Legal basis: contract performance; legitimate interests.
* Product improvement & analytics: diagnose issues, measure performance, plan features.
Legal basis: legitimate interests; consent where required for cookies/analytics.
* Communications:
• Transactional emails (security, receipts, critical updates) — may be sent without marketing consent.
• Marketing email/SMS — only with your opt-in; you can opt out anytime.
Legal basis: legitimate interests (transactional); consent (marketing).
* Compliance & enforcement: respond to lawful requests; enforce terms.

We do not run third-party ads. We currently use Google Analytics. We may implement a Facebook/Meta Pixel later to measure site performance; if we do, we will update this policy and obtain consent where required.

4. COOKIES, LOCAL STORAGE & SIMILAR TECHNOLOGIES

* Strictly necessary: login, security, load-balancing, session persistence.
* Preferences: language, theme, UI settings.
* Analytics: Google Analytics cookies (aggregate statistics).
* Local/session storage: in-app state and preferences.
You can manage cookies in your browser/app settings. Blocking essential cookies may limit functionality.

5. SHARING YOUR INFORMATION
We share data only as needed to provide the service, comply with law, or with your permission:

* Service providers/processors: hosting, analytics (Google), email/SMS providers, document verification, and payment processors (who handle card information).
* Compliance: regulators, law enforcement, or to assert legal claims.
* Business continuity: in a merger, acquisition, or asset sale, data may transfer under the same protections.
We do not sell your personal information and we do not share it for cross-context behavioral advertising (CCPA/CPRA).

6. INTERNATIONAL TRANSFERS
Some processors may store or process data outside your country. Appropriate safeguards (e.g., contractual protections) are used for international transfers.

7. DATA RETENTION

* Account & transactional data: retained for the life of the account and a reasonable period thereafter.
* KYC/FICA records: retained for the period required by law/regulation.
* Analytics data: retained per provider defaults.
We delete or anonymize data when no longer needed or upon request, subject to legal holds.

8. YOUR PRIVACY RIGHTS
Under POPIA/GDPR (and similar laws), you may have the right to: access; rectify; erase; restrict or object to processing; data portability; and withdraw consent (for activities based on consent).
Under CCPA/CPRA, you may have the right to: know (categories and specific pieces); delete; correct; opt-out of sale or sharing (we do not sell/share for cross-context ads); limit use of sensitive personal information (we use sensitive data only for KYC/compliance and service delivery).
We will not discriminate against you for exercising your rights.
How to exercise your rights: email support@4amclub.co.za or call (+27)12 004 8302. We may need to verify identity (and authority if acting as an agent).

9. MARKETING COMMUNICATIONS
Marketing email/SMS requires your opt-in. You can opt out at any time via unsubscribe links or by contacting us. Transactional/operational emails (e.g., security notices, invoices) may still be sent.

10. CALOPPA — DO NOT TRACK
Because there is no industry standard for DNT signals, we do not currently respond to DNT. You can control cookies/analytics in your browser/app settings.

11. CHILDREN’S PRIVACY
The website and apps are not offered to users under the age of 13. We do not knowingly collect information from children under 13. If you believe a child under 13 has provided data, contact us for deletion.

12. SECURITY
We apply technical and organizational safeguards appropriate to the data’s sensitivity (encryption in transit, strict access controls, password hashing, monitoring). No method is 100% secure; if a data incident affects you, we will notify you and regulators as required.

13. PAYMENTS
One-time and recurring payments are processed by third-party payment processors. We receive payment status and limited metadata; we do not store full card details.

14. THIRD-PARTY LINKS & PIXELS
Our site/app may link to third-party sites. Their privacy practices are governed by their own policies. We currently use Google Analytics; we do not show ads. We may implement a Facebook/Meta Pixel later and will update this policy and obtain consent where required.

15. CHANGES TO THIS POLICY
We may update this policy to reflect changes in practices or legal requirements. We will post updates here and adjust the “Effective date” above. For material changes, we may provide additional notice (e.g., email or in-app prompt).

16. CONTACT US
4AM Club
6 Mariette Nook, Pretorius Park, Pretoria, South Africa
(+27)12 004 8302
support@4amclub.co.za

SUMMARY OF KEY POINTS

* We collect identity/contact, credentials, KYC/FICA, and usage/analytics data.
* We use cookies, local storage, and sessions.
* No ads. Google Analytics enabled; Meta Pixel may be added later with appropriate consent.
* No social login (Facebook/Google/Twitter) at this time.
* Under 13s not permitted.
* Marketing communications are opt-in; transactional communications may be sent without opt-in.
* You have rights to access, correct, delete, port, and object/restrict, plus CCPA rights (Know/Delete/Correct/Opt-out/Limit sensitive PI).
* Contact support@4amclub.co.za for privacy requests.