Back to Home

Privacy Policy

Last updated: November 2025

1) Who We Are and Roles Under POPIA

MedCascade supports billing-assist workflows for South African healthcare providers. For patient/practice data that customers upload, the customer organisation is the POPIA “responsible party” and MedCascade is an “operator” processing personal and special personal information (health data) on the customer’s behalf and instructions. For our own account management, security monitoring and communications, MedCascade is a responsible party.

2) Information We Process

  • Account and organisation details (names, emails, role, practice details).
  • Operational logs and telemetry (events, feature usage, IP address, device/browser).
  • Billing-assist inputs/outputs provided by customers (ICD-10/ICD-11, RPL/NHRPL references, motivations, notes, attachments). These may include special personal information about health.
  • Support correspondence and audit trails.

We follow the POPIA principles of lawfulness, purpose limitation, minimality and confidentiality.

3) Purposes and Lawful Grounds

  • Provide and improve the Service (contract necessity; legitimate interests to secure and improve).
  • Operate multi-tenant infrastructure, access control, logging and fraud/security monitoring (legitimate interests; legal obligations).
  • Customer support and communications (contract necessity; legitimate interests).
  • Compliance with law, professional and regulatory requirements (legal obligations).
  • Direct marketing by electronic communications only in compliance with section 69 of POPIA and ECTA: consent (opt-in) for non-customers; opt-out provided in every message for existing customers.

For special personal information (health), we act primarily as operator for the responsible party (our customer) and process on documented instructions under the applicable POPIA grounds relied upon by that customer (e.g., healthcare provision, legal claims or explicit consent). Customers are responsible for ensuring a lawful basis and necessary notices/consent.

4) Security Safeguards

  • Encryption in transit and at rest; tenant-level isolation with separate databases per tenant.
  • Role-based access controls, least-privilege, MFA for administrative access.
  • Secure webhooks with authentication, request validation and audit trails.
  • Backups, disaster recovery and change management.
  • Operator agreements with sub-processors and due diligence on suppliers.

5) Sharing, Operators and Cross-Border Transfers

We do not sell personal information. We may disclose limited data to:

  • Authorised personnel of the customer (as configured by the customer).
  • Operators (cloud hosting, monitoring, email delivery, support tooling) under written operator terms.
  • Regulators, courts or law enforcement when legally required.

Where data is transferred cross-border, we apply POPIA section 72 mechanisms (adequate protection, contractual safeguards, or data subject consent).

6) Retention

As operator, we retain customer data according to the customer’s configuration and instructions, and for as long as necessary to provide the Service, meet legal obligations and maintain auditability. Backups have limited retention windows. Upon termination, we will delete or return data per our agreement and the customer’s instructions unless retention is legally required.

7) Data Subject Rights

Under POPIA, you may request to:

  • Access, correct or delete personal information we hold as responsible party.
  • Object to processing or direct marketing; withdraw consent where relied upon.
  • For operator-held data, we will refer your request to the relevant customer (responsible party).

To exercise rights, contact our Information Officer using the details below.

8) Cookies and Analytics

We use essential cookies for authentication and security, and optional analytics to improve the Service. You can control non-essential cookies in your browser. Blocking essential cookies may impair functionality.

9) Children

We do not directly target services to children. Where customer data includes information about minors, customers must ensure lawful processing and appropriate authorisations. We process such data as operator on their instructions.

10) Breach Notification

In the event of a security compromise creating a real risk of harm, we will notify the affected customer (responsible party) and, where applicable, the Information Regulator and data subjects in accordance with POPIA and our contractual commitments.

11) Changes

We may update this policy occasionally. Material changes will be communicated in-product or by email. Continued use indicates acceptance.

12) Contact and Complaints

Information Officer (privacy queries & rights requests): privacy@medcascade.com

You may lodge complaints with the Information Regulator (South Africa): https://inforegulator.org.za • Email:complaints.IR@inforegulator.org.za