Privacy Policy

MedCascade supports billing-assist and clinical validation workflows for healthcare providers, medical bureaus and medical schemes. Depending on your jurisdiction, different privacy frameworks apply:

• POPIA (South Africa):For patient and practice data that customers upload, the customer organisation is the "responsible party" and MedCascade is an "operator" processing personal and special personal information (health data) on the customer's documented instructions.
• HIPAA (United States): Where a customer is a HIPAA-regulated covered entity or business associate and uploads Protected Health Information (PHI), MedCascade acts as a business associate. A Business Associate Agreement (BAA) is available on request and governs that processing.

For our own account management, security monitoring and communications, MedCascade is a responsible party (POPIA) and a controller of its own corporate data.

We may collect and process the following categories of information:

• Account and organisation details: Names, email addresses, role, practice details, and contact information
• Operational logs and telemetry: Events, feature usage, IP addresses, device and browser information for security and service improvement
• Billing-assist inputs/outputs: ICD-10/ICD-11 codes, RPL/NHRPL references, clinical motivations, notes, and attachments provided by customers. These may include special personal information about health.
• Support correspondence: Communication history and audit trails

We follow the POPIA principles of lawfulness, purpose limitation, minimality, and confidentiality in all our processing activities.

We process personal information for the following purposes:

• Service delivery and improvement: Contract necessity; legitimate interests to secure and improve the platform
• Infrastructure operations: Multi-tenant infrastructure, access control, logging and fraud/security monitoring (legitimate interests; legal obligations)
• Customer support: Contract necessity; legitimate interests in providing quality service
• Legal compliance: Compliance with law, professional and regulatory requirements (legal obligations)
• Direct marketing: By electronic communications only in compliance with section 69 of POPIA and ECTA: consent (opt-in) for non-customers; opt-out provided in every message for existing customers

For special personal information (health), we act primarily as operator for the responsible party (our customer) and process on documented instructions under the applicable POPIA grounds relied upon by that customer (e.g., healthcare provision, legal claims or explicit consent). Customers are responsible for ensuring a lawful basis and necessary notices/consent.

Our controls are designed to meet the POPIA appropriate-safeguards requirement and align with the administrative, physical and technical safeguards of the HIPAA Security Rule (45 CFR Part 164, Subpart C).

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest
• Tenant isolation: Separate databases per tenant to ensure complete data segregation
• Access controls: Role-based access controls, least-privilege principles, and MFA for administrative access
• Audit logging: Access and activity logs retained in accordance with HIPAA audit-trail expectations and POPIA accountability requirements
• Secure webhooks: Authentication, request validation and audit trails for all webhook communications
• Business continuity: Regular backups, disaster recovery procedures, and change management protocols
• Sub-processor oversight: Operator / business associate agreements with sub-processors and due diligence on suppliers
• Workforce training: Security, privacy and PHI handling training for personnel with access to customer data

We do not sell personal information. We may disclose limited data to:

• Authorised personnel: Of the customer organisation as configured by the customer
• Operators and service providers: Cloud hosting, monitoring, email delivery, and support tooling under written operator terms
• Legal authorities: Regulators, courts or law enforcement when legally required

Where data is transferred cross-border, we apply POPIA section 72 mechanisms (adequate protection, contractual safeguards, or data subject consent). For PHI processed on behalf of US customers, disclosures to sub-contractors are governed by a Business Associate Agreement in accordance with 45 CFR 164.308(b) and 164.502(e).

As operator, we retain customer data according to the customer's configuration and instructions, and for as long as necessary to provide the Service, meet legal obligations and maintain auditability.

Backups have limited retention windows. Upon termination, we will delete or return data per our agreement and the customer's instructions unless retention is legally required.

Under POPIA, you have the following rights:

• Access and correction: Request access to or correction of personal information we hold as responsible party
• Deletion: Request deletion of your personal information, subject to legal obligations
• Objection: Object to processing or direct marketing
• Withdrawal of consent: Where processing is based on consent
• Operator-held data: For data we hold as operator, we will refer your request to the relevant customer (responsible party)

To exercise your rights, contact our Information Officer using the details below.

We use essential cookies for authentication and security, and optional analytics to improve the Service. You can control non-essential cookies in your browser settings.

Blocking essential cookies may impair functionality.

We do not directly target services to children. Where customer data includes information about minors, customers must ensure lawful processing and appropriate authorisations. We process such data as operator on their instructions.

In the event of a security compromise creating a real risk of harm, we will notify the affected customer (responsible party) and, where applicable, the Information Regulator and data subjects in accordance with POPIA and our contractual commitments.

Where PHI is involved and HIPAA applies, MedCascade will report the breach to the affected covered entity without unreasonable delay and in any event within the timeframes required by 45 CFR 164.410, so the covered entity can meet its HHS and individual notification obligations within 60 days.

We may update this policy occasionally to reflect changes in our practices or legal requirements. Material changes will be communicated in-product or by email. Continued use of the Service after such changes indicates acceptance of the updated policy.