POPIA Manual
Protection of Personal Information Act 4 of 2013 (POPIA) — Section 51 Manual
Last updated: 15 May 2026
1. Introduction
This manual is published in terms of Section 51 of the Promotion of Access to Information Act 2 of 2000 (PAIA), read together with the Protection of Personal Information Act 4 of 2013 (POPIA). It describes how West Technology Group (Pty) Ltd (Reg. 2023/0672402/07) ("the Company", "we", "us") collects, processes, stores, and protects personal information in connection with the Care Ops platform.
The Company's registered address is: 4 Montrose St, Newlands 7700, Cape Town, South Africa.
2. Contact Details — Information Officer
| Role | Details |
|---|---|
| Information Officer | Matthew Nico van der Westhuizen |
| matthew@w-tg.co.za | |
| Postal address | 4 Montrose St, Newlands 7700, Cape Town, South Africa |
| Physical address | 4 Montrose St, Newlands 7700, Cape Town, South Africa |
The Information Officer is responsible for ensuring compliance with POPIA and for handling all data subject requests.
3. Definitions
- Personal information
- Information relating to an identifiable, living, natural person or an identifiable, existing juristic person, including but not limited to: name, identity number, contact details, date of birth, health information, financial information, and location data.
- Special personal information
- A sub-category of personal information that receives heightened protection under POPIA, including: health and medical information, race, ethnicity, religious beliefs, trade union membership, political views, sexual orientation, and criminal history.
- Processing
- Any operation performed on personal information, whether by automated means or not, including collection, recording, storage, retrieval, use, disclosure, and destruction.
- Data subject
- The person to whom personal information relates.
- Responsible party
- The Company — the entity that determines the purpose of and means for processing personal information.
- Operator
- A person who processes personal information on behalf of the responsible party in terms of an authorisation issued by the responsible party.
4. Personal Information We Process
4.1 Platform Users (Administrators, Brokers, Agents)
- Full name and email address
- Password (hashed; never stored in plaintext)
- IP address and user-agent (session audit)
- Passkey credentials and TOTP secrets (two-factor authentication)
- Role assignments and access history
4.2 Policy Holders and Beneficiaries
- Full name (title, initials, first names, last name)
- South African identity number or passport number
- Date of birth and sex
- Contact number (E.164 format) and email address
- Residential address
- Policy number, inception date, benefit dates
- Relationship to the main member
- Third-party payer details (name, identity number, contact details)
4.3 Special Personal Information — Health Data
Where a scheme enables the health assessment module, the following special personal information is collected with the explicit consent of the data subject:
- Medical conditions (with ICD-10 codes)
- Medications (name, dosage, frequency)
- Surgical procedures
- Risk flags and underwriting notes
- Health interview transcript (verbatim conversation)
This information is used solely for underwriting and actuarial purposes. It is disclosed only to the insurer or underwriter as required by the policy agreement.
5. Lawful Basis for Processing
We process personal information on one or more of the following bases:
- Consent — The data subject has given consent for processing for a specific purpose (e.g., health assessment interview).
- Contractual necessity — Processing is necessary to perform a contract to which the data subject is a party (e.g., administering a funeral or life policy).
- Legal obligation — Processing is required to comply with a legal obligation (e.g., FSCA reporting, FICA compliance).
- Legitimate interest — Processing is necessary for the legitimate interests of the responsible party, provided those interests are not outweighed by the data subject's rights (e.g., fraud prevention, system security).
6. Data Retention
| Data category | Retention period | Reason |
|---|---|---|
| Active policy records | Duration of policy + 5 years | Contractual and regulatory requirement |
| Health assessment records | Duration of policy + 5 years | Underwriting and claims disputes |
| Cancelled / resigned policy records | 5 years from cancellation | FSCA record-keeping rules |
| Session tokens | 7 days (auto-expiry) | Authentication security |
| Password reset tokens | 24 hours (auto-expiry) | Security — prevent reuse |
| Audit logs | 3 years | Regulatory compliance and fraud detection |
| User account data (post-deletion) | 90 days in backup, then purged | Disaster recovery |
7. Third-Party Operators and Cross-Border Transfers
We use third-party service providers ("operators") who process personal information on our behalf. Each operator is bound by a data processing agreement that requires POPIA-equivalent protections.
| Operator | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Email delivery (SES), file storage (S3) | EU / ZA region (configurable) |
| Anthropic | AI health assessment interview (Claude API) | USA |
| Address lookup (Maps API), OAuth login | USA / EU | |
| Microsoft | OAuth login (Entra ID) | USA / EU |
| SMS Portal | One-time PIN delivery | South Africa |
Where personal information is transferred outside South Africa, we ensure that the receiving country or operator provides an adequate level of protection as required by Section 72 of POPIA, or that appropriate contractual safeguards are in place.
8. Security Safeguards
8.1 Technical Controls
- All external traffic is encrypted in transit via TLS 1.2+ (Caddy reverse proxy with Let's Encrypt certificates).
- Passwords are hashed using industry-standard algorithms (bcrypt/scrypt via the Better Auth library).
- Session tokens are stored in HttpOnly, Secure cookies and signed with a secret key.
- Database connections require authentication (SCRAM-SHA-256).
- Cache/session store (Valkey/Redis) is password-protected and accessible only within the private Docker network.
- Encryption at rest is enforced at the filesystem level on the production host (see infrastructure security documentation).
- Fine-grained access control (OpenFGA) enforces least-privilege access to policy data at the object level.
- A dedicated
view_piirole permission is required to access unredacted identity numbers, contact details, and health data — all other users see redacted values. - Multi-factor authentication (TOTP and passkeys) is available for all platform users.
8.2 Organisational Controls
- Access is provisioned on a need-to-know basis via role-based allocations.
- Database access audit logs are retained for 3 years.
- Credentials are rotated on staff change and at least every 90 days.
- The platform undergoes regular security reviews.
9. Rights of Data Subjects
Under POPIA, data subjects have the following rights:
- Right to be notified — You must be informed when we collect your personal information and why.
- Right of access — You may request a copy of your personal information held by us. We will respond within 30 days.
- Right to correction or deletion — You may request that we correct inaccurate information or delete your information where it is no longer necessary.
- Right to object — You may object to the processing of your personal information on the grounds of legitimate interest.
- Right to complain — You may lodge a complaint with the Information Regulator if you believe your rights under POPIA have been infringed.
To exercise any of these rights, contact the Information Officer at the details in Section 2.
10. Information Regulator
Complaints or enquiries regarding our compliance with POPIA may be directed to:
Information Regulator (South Africa)JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Postal: PO Box 31533, Braamfontein, Johannesburg, 2017
Email: complaints.IR@justice.gov.za
Website: inforegulator.org.za
11. Security Compromise Notification
In the event of a security compromise that affects personal information, the Company will notify the Information Regulator and affected data subjects as soon as reasonably possible after becoming aware of the compromise, as required by Section 22 of POPIA.
12. Amendments to this Manual
This manual is reviewed and updated at least annually, or whenever material changes occur to our processing activities. The date at the top of this page reflects the most recent revision.