Privacy Policy

MedCascade supports billing-assist workflows for South African healthcare providers. For patient/practice data that customers upload, the customer organisation is the POPIA "responsible party" and MedCascade is an "operator" processing personal and special personal information (health data) on the customer's behalf and instructions.

For our own account management, security monitoring and communications, MedCascade is a responsible party.

We may collect and process the following categories of information:

• Account and organisation details: Names, email addresses, role, practice details, and contact information
• Operational logs and telemetry: Events, feature usage, IP addresses, device and browser information for security and service improvement
• Billing-assist inputs/outputs: ICD-10/ICD-11 codes, RPL/NHRPL references, clinical motivations, notes, and attachments provided by customers. These may include special personal information about health.
• Support correspondence: Communication history and audit trails

We follow the POPIA principles of lawfulness, purpose limitation, minimality, and confidentiality in all our processing activities.

We process personal information for the following purposes:

• Service delivery and improvement: Contract necessity; legitimate interests to secure and improve the platform
• Infrastructure operations: Multi-tenant infrastructure, access control, logging and fraud/security monitoring (legitimate interests; legal obligations)
• Customer support: Contract necessity; legitimate interests in providing quality service
• Legal compliance: Compliance with law, professional and regulatory requirements (legal obligations)
• Direct marketing: By electronic communications only in compliance with section 69 of POPIA and ECTA: consent (opt-in) for non-customers; opt-out provided in every message for existing customers

For special personal information (health), we act primarily as operator for the responsible party (our customer) and process on documented instructions under the applicable POPIA grounds relied upon by that customer (e.g., healthcare provision, legal claims or explicit consent). Customers are responsible for ensuring a lawful basis and necessary notices/consent.

We implement comprehensive security measures to protect your information:

• Encryption: Data encrypted in transit (TLS) and at rest
• Tenant isolation: Separate databases per tenant to ensure complete data segregation
• Access controls: Role-based access controls, least-privilege principles, and MFA for administrative access
• Secure webhooks: Authentication, request validation and audit trails for all webhook communications
• Business continuity: Regular backups, disaster recovery procedures, and change management protocols
• Sub-processor oversight: Operator agreements with sub-processors and due diligence on suppliers

We do not sell personal information. We may disclose limited data to:

• Authorised personnel: Of the customer organisation as configured by the customer
• Operators and service providers: Cloud hosting, monitoring, email delivery, and support tooling under written operator terms
• Legal authorities: Regulators, courts or law enforcement when legally required

Where data is transferred cross-border, we apply POPIA section 72 mechanisms (adequate protection, contractual safeguards, or data subject consent).

As operator, we retain customer data according to the customer's configuration and instructions, and for as long as necessary to provide the Service, meet legal obligations and maintain auditability.

Backups have limited retention windows. Upon termination, we will delete or return data per our agreement and the customer's instructions unless retention is legally required.

Under POPIA, you have the following rights:

• Access and correction: Request access to or correction of personal information we hold as responsible party
• Deletion: Request deletion of your personal information, subject to legal obligations
• Objection: Object to processing or direct marketing
• Withdrawal of consent: Where processing is based on consent
• Operator-held data: For data we hold as operator, we will refer your request to the relevant customer (responsible party)

To exercise your rights, contact our Information Officer using the details below.

We use essential cookies for authentication and security, and optional analytics to improve the Service. You can control non-essential cookies in your browser settings.

Blocking essential cookies may impair functionality.

We do not directly target services to children. Where customer data includes information about minors, customers must ensure lawful processing and appropriate authorisations. We process such data as operator on their instructions.

In the event of a security compromise creating a real risk of harm, we will notify the affected customer (responsible party) and, where applicable, the Information Regulator and data subjects in accordance with POPIA and our contractual commitments.

We may update this policy occasionally to reflect changes in our practices or legal requirements. Material changes will be communicated in-product or by email. Continued use of the Service after such changes indicates acceptance of the updated policy.