Privacy Policy

Last updated: 15 May 2026

West Technology Group (Pty) Ltd (Reg. 2023/0672402/07) ("we", "us", "our") respects your privacy and is committed to protecting your personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and all other applicable South African privacy legislation.

This Privacy Policy explains what personal information we collect, why we collect it, how we protect it, and what rights you have. Please read it carefully.

1. Who We Are

We are the operator of the Care Ops insurance administration platform. Our registered address is 4 Montrose St, Newlands 7700, Cape Town, South Africa. For privacy-related enquiries, contact our Information Officer at matthew@w-tg.co.za.

2. What Personal Information We Collect

2.1 Account and Authentication Information

When you create or use a user account on the Platform:

• Your full name and email address
• Your hashed password (we never store plaintext passwords)
• Device and browser information (user-agent) for session management
• IP address at login (audit logging)
• Multi-factor authentication credentials (TOTP secrets, passkey public keys)
• Profile picture (if uploaded)

2.2 Policy and Beneficiary Information

Where you administer insurance policies on behalf of a scheme or group:

• Policy holder and beneficiary names, identity numbers, dates of birth, and sex
• Contact details (phone numbers and email addresses)
• Residential addresses
• Policy numbers, dates, and status information
• Third-party payer details

2.3 Health Information (Special Personal Information)

Where enabled by the scheme you administer, the Platform may collect health assessment information from policy beneficiaries, including:

• Medical conditions with ICD-10 diagnostic codes
• Medications, dosages, and frequencies
• Surgical procedures
• AI-assisted health interview transcripts
• Derived risk scores and underwriting notes

Health information is special personal information under POPIA and is afforded the highest level of protection. It is collected only with the explicit informed consent of the data subject and used only for the underwriting purpose stated at the time of collection.

2.4 Usage and Technical Information

• Actions performed on the Platform (audit trail)
• Session duration and timing
• Error logs (anonymised where possible)

3. Why We Collect This Information

4. How We Share Your Information

We do not sell your personal information. We share personal information only in the following circumstances:

• Service providers (operators): With vetted third-party operators bound by data processing agreements — see Section 7 of our POPIA Manual for the full list.
• Insurers and underwriters: Where required to administer or underwrite a policy, health and beneficiary data is shared with the relevant insurer or underwriter.
• Legal and regulatory authorities: Where required by law, court order, or lawful request from a regulatory authority.
• Business transfer: In the event of a merger, acquisition, or sale of assets, personal information may be transferred to the acquirer subject to the same privacy protections.

5. How We Protect Your Information

• Encryption in transit: All data transmitted to and from the Platform is encrypted using TLS 1.2 or higher.
• Encryption at rest: Data is stored on encrypted filesystems at the infrastructure level.
• Access controls: Fine-grained role-based access control (powered by OpenFGA) ensures users see only the data they are permitted to see. A specific view_pii permission is required to access unredacted personal information.
• Authentication security: Passwords are hashed using industry-standard algorithms. Multi-factor authentication (TOTP and hardware passkeys) is available for all users.
• Audit logging: All data modification operations are logged with timestamps and user context.
• Rate limiting: Authentication endpoints are rate-limited to prevent brute-force attacks.

6. Cookies and Session Storage

The Platform uses the following cookies:

We do not use advertising cookies or third-party tracking cookies.

7. Data Retention

We retain personal information only for as long as necessary for the purpose for which it was collected, or as required by law. See the full retention schedule in Section 6 of our POPIA Manual.

8. Your Rights

Under POPIA you have the right to:

• Access your personal information held by us.
• Correct inaccurate or outdated personal information.
• Request deletion of your personal information where retention is no longer justified.
• Object to the processing of your personal information on grounds of legitimate interest.
• Withdraw consent at any time where processing is based on consent (this does not affect the lawfulness of processing before withdrawal).
• Lodge a complaint with the Information Regulator (see Section 10 of our POPIA Manual).

To exercise these rights, email our Information Officer at matthew@w-tg.co.za. We will respond within 30 days.

9. Children

The Platform is not directed at children. Where children are listed as policy beneficiaries, their personal information is provided by and processed on behalf of the policy holder or their legal guardian in connection with the relevant insurance policy.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Tenant administrators of material changes via email at least 30 days before changes take effect. The updated policy is always available at this URL. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.

11. Contact Us