All Legal Documents

Privacy Policy (POPIA / Data Protection)

POPIA Compliant HIPAA Aligned

Version 1 • Effective: 2026-06-11

MedCascade is committed to protecting your privacy and securing your personal and health information, in line with POPIA and, for US healthcare customers, HIPAA.

1.Who We Are and Our Regulatory Framework

MedCascade is committed to protecting your privacy and securing your personal and health information. Our privacy program is built on the South African Protection of Personal Information Act 4 of 2013 (POPIA).

MedCascade supports billing-assist, clinical validation, claim switching, and collections workflows for healthcare providers, medical bureaus and medical schemes:

  • For patient and practice data that customers upload, the customer organisation is the "responsible party" and MedCascade is an "operator", processing personal and special personal information (health data) on the customer’s documented instructions.
  • For our own account management, security monitoring and communications, MedCascade is a responsible party.

Where a customer outside South Africa is subject to foreign health-information law (for example HIPAA in the United States), supplementary terms — including a Business Associate Agreement where required — are available on request and govern that processing.

2.Information We Process

We may collect and process the following categories of information:

  • Account and organisation details: names, email addresses, role, practice details, and contact information
  • Operational logs and telemetry: events, feature usage, IP addresses, device and browser information for security and service improvement
  • Billing-assist inputs/outputs: ICD-10/ICD-11 codes, RPL/NHRPL references, clinical motivations, notes, and attachments provided by customers. These may include special personal information about health.
  • Claim-switching transaction data: where the switching service is engaged, claim records exchanged between the customer and medical schemes via switching infrastructure
  • Collections information: where the collections service is mandated, debtor identity and contact details, outstanding-account information, and payment conduct
  • Banking and payment details: account details required to remit recoveries or process payments, handled under strict safeguards
  • Support correspondence: communication history and audit trails

We follow the POPIA principles of lawfulness, purpose limitation, minimality, and confidentiality in all our processing activities.

3.Purposes and Lawful Grounds

We process personal information for the following purposes:

  • Service delivery and improvement: contract necessity; legitimate interests to secure and improve the platform
  • Claim switching: transmitting claims to and from medical schemes on the customer’s instruction (contract necessity; the customer’s lawful basis toward its patients)
  • Collections: recovering amounts owing to the customer under a written mandate (contract necessity; legitimate interests; legal obligations)
  • Infrastructure operations: multi-tenant infrastructure, access control, logging and fraud/security monitoring (legitimate interests; legal obligations)
  • Customer support: contract necessity; legitimate interests in providing quality service
  • Legal compliance: compliance with law, professional and regulatory requirements (legal obligations)
  • Direct marketing: by electronic communications only in compliance with section 69 of POPIA and ECTA: consent (opt-in) for non-customers; opt-out provided in every message for existing customers. Collections communications are account-servicing communications, not direct marketing.

For special personal information (health), we act primarily as operator for the responsible party (our customer) and process on documented instructions under the applicable POPIA grounds relied upon by that customer. Customers are responsible for ensuring a lawful basis and necessary notices/consent.

4.Claim Switching and Collections Processing

Where a customer engages the claim-switching service, claim data is exchanged with the relevant medical schemes and switching/clearing infrastructure solely to transmit, track, and reconcile the customer’s claims. We act as a technical conduit; adjudication remains with the scheme.

Where a customer mandates the collections service, we process debtor personal information — identity and contact details, account balances, and payment conduct — on the customer’s behalf to demand, collect, receive and account for amounts owing. Collections are conducted lawfully and respectfully; debtors may direct queries or complaints to the contact details below and retain all POPIA rights, exercised via the responsible party (the customer) where we act as operator.

Banking and payment details processed for remittance or payment purposes are encrypted in transit and at rest, access-restricted, and never used for any purpose other than the mandated service.

5.Security Safeguards

Our controls are designed to meet the POPIA appropriate-safeguards requirement and align with recognised international security practice.

  • Encryption: data encrypted in transit (TLS 1.2+) and at rest
  • Tenant isolation: separate databases per tenant to ensure complete data segregation
  • Access controls: role-based access controls, least-privilege principles, and MFA for administrative access
  • Payment-data safeguards: banking and payment details restricted to the personnel and processes required for remittance, with enhanced monitoring
  • Audit logging: access and activity logs retained in accordance with POPIA accountability requirements
  • Secure webhooks: authentication, request validation and audit trails for all webhook communications
  • Business continuity: regular backups, disaster recovery procedures, and change management protocols
  • Sub-processor oversight: operator agreements with sub-processors and due diligence on suppliers
  • Workforce training: security, privacy and health-information handling training for personnel with access to customer data

6.Sharing, Operators and Cross-Border Transfers

We do not sell personal information. We may disclose limited data to:

  • Authorised personnel: of the customer organisation as configured by the customer
  • Medical schemes and switching infrastructure: where the switching service is engaged, to transmit and reconcile claims
  • Payment processors and banks: where required to remit recoveries or process payments
  • Collections sub-agents: including attorneys, where engaged under the collections mandate and bound by equivalent obligations
  • Operators and service providers: cloud hosting, monitoring, email delivery, and support tooling under written operator terms
  • Legal authorities: regulators, courts or law enforcement when legally required

Where data is transferred cross-border, we apply POPIA section 72 mechanisms (adequate protection, contractual safeguards, or data subject consent).

7.Retention

As operator, we retain customer data according to the customer’s configuration and instructions, and for as long as necessary to provide the services, meet legal obligations and maintain auditability. Collections records are retained as required for the mandate, accounting, and applicable law.

Backups have limited retention windows. Upon termination, we will delete or return data per our agreement and the customer’s instructions unless retention is legally required.

8.Data Subject Rights

Under POPIA, you have the following rights:

  • Access and correction: request access to or correction of personal information we hold as responsible party
  • Deletion: request deletion of your personal information, subject to legal obligations
  • Objection: object to processing or direct marketing
  • Withdrawal of consent: where processing is based on consent
  • Operator-held data: for data we hold as operator (including debtor information processed under a collections mandate), we will refer your request to the relevant customer (responsible party)

To exercise your rights, contact our Information Officer using the details below.

9.Cookies and Analytics

We use essential cookies for authentication and security, and optional analytics to improve the Service. You can control non-essential cookies in your browser settings.

Blocking essential cookies may impair functionality.

10.Children

We do not directly target services to children. Where customer data includes information about minors, customers must ensure lawful processing and appropriate authorisations. We process such data as operator on their instructions.

11.Breach Notification

In the event of a security compromise creating a real risk of harm, we will notify the affected customer (responsible party) and, where applicable, the Information Regulator and data subjects in accordance with POPIA and our contractual commitments.

Where a customer is subject to foreign breach-notification law (for example HIPAA), we will also report in accordance with the supplementary terms agreed with that customer.

12.Changes

We may update this policy occasionally to reflect changes in our practices or legal requirements. Material changes will be communicated in-product or by email. Continued use of the Service after such changes indicates acceptance of the updated policy.

13.Contact and Complaints

Information Officer: Mr Jan Venter (Managing Director, CareCo Solutions (Pty) Ltd). For privacy queries and rights requests: privacy@medcascade.com.

Lodge complaints with the Information Regulator (South Africa): https://inforegulator.org.za | complaints.IR@inforegulator.org.za.

This privacy policy reflects our commitment to transparency and to meeting applicable privacy and security obligations under POPIA.

Content integrity (SHA-256): aefe28a33d9c92266503b2bf641df5dbf552b5e0af02521f90150f151ab23c79

MedCascade © 2026. All rights reserved.