Privacy Policy
At a glance
If you don't want to read the whole policy, the most important points are:
- PlatformA is operated by i Squared (Pty) Ltd, a South African company registered as 2025/715409/07.
- We process personal information lawfully, under the Protection of Personal Information Act ("POPIA"), Act 4 of 2013.
- When you use the platforma.co.za website or contact us directly, we are the Responsible Party for your information.
- When you make a claim or buy a policy from an insurer who uses our platform, the insurer is the Responsible Party. We act as their Operator — a service provider working under their instructions and a written agreement.
- We use a small set of sub-processors for cloud hosting (primarily in South Africa), edge security, and AI processing. Categories are described in this policy; the current named list is available on request from our Information Officer and is disclosed to insurer customers under their Operator Agreements.
- We use AI in claims-decision-support, but every claim outcome is decided by a person — not the AI.
- Your information is secured using industry-standard monitoring, encryption in transit and at rest, multi-factor authentication, and a documented incident response process.
- You have rights under POPIA: access, correction, withdrawal of consent, objection, complaint, and (for automated decisions) human review.
- Contact us for any privacy question via
privacy@i2consulting.co.za— see Section 12 for full contact details.
1. Who we are
i Squared (Pty) Ltd ("i Squared", "we", "us", "our") is a private company incorporated in the Republic of South Africa:
- Company registration: 2025/715409/07
- Trading name: PlatformA — Insurance Intelligence ("PlatformA")
- Jurisdiction: Republic of South Africa
- Information Officer: appointed and registered with the Information Regulator; reachable via
privacy@i2consulting.co.za - Deputy Information Officer: appointed; same contact channel
- Contact for privacy matters:
privacy@i2consulting.co.za
PlatformA is the trading name we use for our insurance technology platform. References to "PlatformA" in this policy mean i Squared (Pty) Ltd operating the platform unless context indicates otherwise.
2. Which hat we're wearing — Responsible Party vs Operator
POPIA distinguishes between the Responsible Party (the organisation that decides what personal information to process and why) and the Operator (the organisation that processes personal information on behalf of the Responsible Party). The same organisation can be either at different times, depending on the context.
When we are the Responsible Party
We are the Responsible Party — and this policy applies in full — when you interact with us in any of the following ways:
- You visit platforma.co.za or i2consulting.co.za;
- You send us an email, place a call, or use a contact form;
- You apply to use PlatformA for your own insurance business;
- You are an employee, contractor, or director of i Squared;
- You are an investor, lender, or other stakeholder we communicate with directly;
- You apply for a role with us.
When we are the Operator
We act as an Operator — meaning another organisation (the "Tenant Insurer") is the Responsible Party and we process under their instruction — when:
- An insurer customer uses PlatformA to administer policies, quote new business, or process claims;
- A broker or funeral parlour uses PlatformA to capture or submit business on behalf of an insurer client;
- You are an end-policyholder of an insurer that uses PlatformA.
In those cases, the Tenant Insurer's privacy notice governs how your information is handled. We follow their instructions, under a written Operator Agreement that meets POPIA s20 and s21 requirements. We do not use your information for our own purposes, do not sell it, and do not share it outside the chain authorised by the Tenant Insurer.
If you are an end-policyholder unsure which insurer holds your policy, look at your policy schedule or claim acknowledgement — the Responsible Party is the insurer named on those documents.
3. What personal information we process
3.1 When we are the Responsible Party
When you interact with us directly, we may process:
| Category | Examples | When we collect |
|---|---|---|
| Contact details | Name, work email, work phone, work address | When you contact us, request a demo, sign up, apply for work |
| Professional context | Job title, employer, the role you play in your organisation | When you contact us or apply to use PlatformA |
| Technical and security data | IP address, browser and device characteristics, pages visited, referrer, authenticated request metadata | When you use platforma.co.za or app.platforma.co.za |
| Communications | Emails, calls, meeting notes and (where applicable) transcripts | When we communicate with you |
| Sign-in data | Identity provider account identifier, sign-in timestamps, MFA events | When you sign in to PlatformA |
| Employment data (where applicable) | CV, ID number, banking details, tax number, pay records | If you apply for work or are employed by us |
We collect this information mainly from you, directly. In some cases we receive it from professional networks (e.g., LinkedIn), from a Tenant Insurer who refers you to us, or from publicly-available sources.
3.2 When we are the Operator
When you are an end-policyholder, claimant, broker, or funeral parlour user of an insurer's PlatformA tenancy, the categories processed depend on what the Tenant Insurer instructs us to do. Typically:
| Category | Examples |
|---|---|
| Identification | Names, South African ID numbers, dates of birth, gender |
| Contact | Postal address, residential address, phone numbers, email |
| Policy data | Policy number, sums assured, premiums, benefits, cover dates, beneficiary nominations |
| Claim data | Claim event details, documents uploaded (death certificate, ID copy, banking confirmation, medical records where relevant) |
| Banking | Account number, branch, account holder name (for premium collection or claim payout) |
| Special personal information (POPIA s26) | Health information, cause of death (claims only), biometric information if used for identity verification |
| Children's personal information (POPIA s34) | Beneficiary or dependent details where the data subject is under 18 |
All processing here is on behalf of the Tenant Insurer and under their privacy notice.
3.3 Cookies and tracking on our website
We use a small set of tracking technologies on platforma.co.za and i2consulting.co.za:
- Privacy-friendly visit analytics — count visits and visitor paths so we can measure traffic. No persistent identifiers are set for this purpose.
- Sign-in cookies — set by our identity provider during authentication; required for the sign-in flow.
- Session cookies — strictly necessary for keeping you signed in during an authenticated session.
We do not use advertising trackers, profiling pixels, or analytics that follow visitors across sites. We do not sell or share visitor data with advertisers.
You can clear cookies or disable them in your browser at any time. Doing so will prevent you signing in to PlatformA but won't otherwise affect your visit to the public website.
4. Why we process personal information (the legal basis)
POPIA requires every act of processing to have a lawful basis under section 11. The lawful basis depends on the context:
| Processing purpose | Lawful basis (s11) | Hat |
|---|---|---|
| Responding to your enquiry | s11(1)(a) — your consent (implied by you contacting us) | RP |
| Sending you information about our services after you've asked | s11(1)(a) — consent | RP |
| Administering a contract with you (e.g., as a customer, employee, vendor) | s11(1)(b) — performance of contract | RP |
| Complying with statutory obligations (CIPC, SARS, Information Regulator filings) | s11(1)(c) — legal obligation | RP |
| Protecting the security of our systems and yours | s11(1)(d) — protection of legitimate interest of data subject; s11(1)(f) — legitimate interest of i Squared | RP |
| Recruitment and employee management | s11(1)(b) — pre-contractual; s11(1)(c) — labour law | RP |
| Processing on behalf of a Tenant Insurer | Their lawful basis (typically s11(1)(b) — performance of insurance contract) | Operator |
| Special personal information (e.g., cause of death) | s27 — explicit consent obtained by the Tenant Insurer at policy or claim stage | Operator |
| Children's personal information | s35 — parental/guardian consent or s35(1)(b) where pursuant to law (e.g., paying a benefit to a minor) | Operator |
5. Who we share personal information with — sub-processors
We share personal information only as necessary to provide our services and meet our legal obligations. We do not sell personal information.
5.1 Categories of sub-processor
We use a small set of third-party service providers ("sub-processors") to operate the PlatformA platform. Each sub-processor is engaged under an Operator Agreement meeting POPIA s20-21 requirements. We disclose them by category below; the current named list, including their identity, data residency, and contractual safeguards, is available on request from our Information Officer and is disclosed to insurer customers under their Operator Agreements.
| Category | What they do | Data residency | Safeguards |
|---|---|---|---|
| Cloud infrastructure provider | Compute, database, storage, identity, and key management for the PlatformA platform | Primary: South Africa. Limited identity, anti-spam, and security telemetry may be processed in EU or US regions. | International security certifications (ISO 27001, SOC 2 Type II) and a Data Protection Addendum aligned with POPIA s20-21 |
| AI processing sub-processor | Large language model used to assist with operational tasks including claim document review and internal operations | United States | Operator Agreement; Zero Data Retention or equivalent configuration so prompts and outputs are not retained and are not used to train models |
| Edge security and content delivery provider | Web Application Firewall, DDoS protection, rate limiting, DNS, and content delivery for our public-facing domains | Globally distributed edge network | International security certifications and a Data Protection Addendum aligned with POPIA |
| Transactional email provider | Sending authentication codes, system notifications, and other transactional email | EU + South Africa | Same Data Protection Addendum as the cloud infrastructure provider |
| Productivity and collaboration provider | Email, calendar, document storage for our staff (incidentally contains your information when you correspond with us) | EU + global | International security certifications and a Data Protection Addendum aligned with POPIA |
If you want the names of our current sub-processors, contact our Information Officer (Section 12). We will respond within a reasonable time, normally within 30 days.
5.2 Cross-border transfer
Some processing takes place outside South Africa. Categories of cross-border processing include:
- AI processing in the United States (for the AI category in Section 5.1);
- Identity, anti-spam, and security telemetry in EU regions (for the cloud infrastructure and productivity categories);
- Edge security and content delivery via a globally-distributed network.
We rely on the following POPIA s72 lawful bases for cross-border transfer:
- s72(1)(a) — the recipient is subject to a binding code of conduct, contract, or law that upholds principles substantially similar to POPIA. We rely on the contractual safeguards in our Data Protection Addenda with each cross-border sub-processor.
- s72(1)(b) — your consent (obtained via the Tenant Insurer's privacy notice at policy or claim stage, where relevant).
If you would like more detail on the contractual safeguards in place, contact our Information Officer.
5.3 Other recipients
In specific circumstances, we may also disclose personal information to:
- Regulators (e.g., the Information Regulator, the Prudential Authority, the Financial Sector Conduct Authority, SAPS) — where required by law or on receipt of a lawful instruction;
- Auditors and professional advisors (e.g., external accountants, lawyers) — under their own confidentiality obligations;
- Operationally connected third parties specified by the Tenant Insurer (e.g., reinsurers, the Department of Home Affairs for NPR death verification, the Health Professions Council of South Africa for practitioner verification) — when we are acting as Operator on their instruction.
6. How long we keep personal information
| Category | Retention period |
|---|---|
| Website analytics | Aggregated within 30 days; no per-visitor records retained beyond a session |
| Sign-in logs and security audit logs | Minimum 1 year, up to 7 years where there has been an investigated incident |
| Contact form and enquiry correspondence | 3 years from last contact |
| Customer records (Tenant Insurer agreements) | Duration of contract + 7 years (FAIS Act and insurance industry norm) |
| Operator-processed policyholder data | Per the Tenant Insurer's instructions — typically duration of policy + 5 years to support audit and reinsurance |
| Employment records | Duration of employment + 5 years (Basic Conditions of Employment Act requirement) |
| Breach response records | 5 years from incident closure |
| Financial records (invoices, tax) | 5 years (Tax Administration Act) |
When the retention period ends, we delete or de-identify the personal information unless we are required by law to retain it longer.
7. How we keep personal information secure
POPIA s17 requires reasonable organisational and technical measures to safeguard personal information. Our measures include:
7.1 Organisational measures
- Information Officer and Deputy Information Officer are formally appointed and registered with the Information Regulator.
- Documented incident response process with named roles, severity classification, and statutory notification timelines.
- Privacy-by-design and security-by-design are applied to new product features through documented design review.
- Staff training on POPIA, phishing, and incident reporting is conducted on joining and annually.
- Operator agreements with all sub-processors include POPIA-aligned data protection terms.
- Access control is least-privilege; access reviews are conducted quarterly.
7.2 Technical measures
- Multi-factor authentication is enforced on all administrative and customer accounts, with phishing-resistant methods.
- Single Sign-On is the only sign-in method for PlatformA; we do not store passwords ourselves.
- Encryption of all data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
- Continuous security monitoring across infrastructure, identity, endpoint, and application layers, with ML-assisted correlation of low-confidence signals into incidents.
- Endpoint protection on all staff devices with real-time protection and network-level filtering.
- Posture management and threat detection across all production cloud services using industry-standard tooling.
- Edge controls including a Web Application Firewall, DDoS protection, and bot management on public-facing domains.
- Conditional Access policies restrict sign-in based on device compliance, sign-in risk, and geographic origin.
We do not publicly detail the specific tools, rules, or thresholds we use, because doing so would assist anyone attempting to bypass them. We review and update our security measures regularly as threats and technology evolve, and audit and assurance evidence is available to insurer customers and regulators under appropriate confidentiality terms.
8. If something goes wrong — breach notification
We have a documented incident response process. If personal information has been or may have been compromised, we will:
- Notify the Information Regulator as soon as reasonably possible (under POPIA s22), within 72 hours of becoming aware of the compromise, unless there are operational reasons to delay.
- Notify affected data subjects as soon as we can describe the incident accurately and provide useful protective recommendations — typically within 14 days.
- Notify Tenant Insurers within 24 hours of incidents affecting their data, per our Operator Agreements.
- Cooperate fully with regulator investigations and any forensic engagement.
The notification will include the nature of the compromise, the categories of personal information affected, the likely consequences, the measures we have taken to mitigate, and the steps you can take to protect yourself.
9. Your rights under POPIA
You have the following rights in relation to personal information we hold about you:
9.1 Right of access (POPIA s23)
You can ask us to confirm whether we hold personal information about you, and to provide you with a copy. There is no charge for a first request in a calendar year. We will respond within a reasonable time, normally within 30 days.
9.2 Right to correction or deletion (POPIA s24)
You can ask us to correct any information that is wrong, out of date, misleading, or excessive. You can ask us to delete information we no longer have a lawful basis to hold.
9.3 Right to withdraw consent
Where we process on the basis of your consent, you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. In some cases, withdrawal may affect our ability to provide a service to you (e.g., if you withdraw consent for processing necessary to administer a contract, the contract may need to be terminated).
9.4 Right to object (POPIA s11(3))
You can object to processing on the basis of legitimate interest (s11(1)(f)) — for example, if you are uncomfortable with our use of security logs that include your IP address. We will consider the objection and either stop the processing, restrict it, or explain to you why we believe it should continue.
9.5 Right to require human review of automated decision-making (POPIA s71)
We use AI in claims-decision-support, but every claim outcome is decided by a person, not the AI. If you are nevertheless concerned about how an automated process affected you, you have the right to require human review of the decision, and an explanation of how the decision was reached. Contact us, or contact the Tenant Insurer if your concern relates to a specific claim or policy.
9.6 Right to complain (POPIA s74)
You have the right to lodge a complaint with us, with the Tenant Insurer (where we are acting as Operator), and with the Information Regulator. Our preferred path is that you raise the concern with us first so we can address it — but you are not obliged to do so before approaching the Regulator.
The Information Regulator's contact details are at the end of this policy.
10. Special information about specific contexts
10.1 AI and automated decisions
PlatformA uses an AI model — operated by our AI processing sub-processor (Section 5.1) under a Zero Data Retention configuration — to read claim documents and produce a structured "Decision Pack" for the Tenant Insurer's human assessor. The AI does not make decisions; it summarises and flags. The final decision is always made by a person.
We use AI because it speeds up claim processing, reduces inconsistency between assessors, and frees the human assessor to focus on the cases that genuinely need their judgment. This is in line with Treating Customers Fairly principles — faster, more consistent claim decisions benefit the policyholder.
If you have any concern about how AI was used in a decision affecting you, you have the s71 right to require human review.
10.2 Children's personal information
Some of our processing relates to children — typically because a child is named as a beneficiary or dependent on a funeral policy. POPIA s34 prohibits processing children's personal information except in specific circumstances, including:
- s35(1)(a) — parental or guardian consent (obtained by the Tenant Insurer at policy or claim stage);
- s35(1)(b) — pursuant to law or to protect the legitimate interests of the child (e.g., paying a benefit nominated for the child).
We do not market to children, do not collect children's information directly from children, and do not process children's information for profiling or behavioural advertising.
10.3 Special personal information
Cause of death, medical history, and (where applicable) biometric information used for identity verification are Special Personal Information under POPIA s26. We process these only under the explicit consent obtained by the Tenant Insurer (s27(1)(a)) at policy or claim stage, or under one of the specific authorisations in s27.
10.4 Direct marketing
We do not engage in direct marketing under POPIA s69 unless you have given your specific consent. Information about our services on our website, in white papers, and in publicly-distributed materials is not direct marketing; targeted email or SMS to you specifically is.
If you receive an email from us that you consider direct marketing, you can unsubscribe at the link in the email, or contact our Information Officer.
11. Changes to this policy
We may update this policy from time to time, for example to reflect a change in sub-processors, a new feature in the platform, or a regulatory change. Material changes will be:
- Highlighted on the policy with a "What's changed" note;
- Communicated to Tenant Insurers via our Operator Agreement update process;
- For direct customers, communicated via email at least 30 days before they take effect, where the change is material to you.
The version date and history are at the bottom of this policy.
12. Contact details
Our Information Officer
| Role | Information Officer (appointed and registered with the Information Regulator) |
|---|---|
privacy@i2consulting.co.za |
Our Deputy Information Officer
| Role | Deputy Information Officer (appointed) |
|---|---|
privacy@i2consulting.co.za (same shared inbox) |
We do not publish personal names or postal addresses for the Information Officer or Deputy Information Officer roles in this public notice. Personal contact details are recorded in the Information Regulator's registry and are available to data subjects, regulators, and counterparties on request via the privacy@i2consulting.co.za channel.
The Information Regulator (South Africa)
| Email — general | inforeg@justice.gov.za |
|---|---|
| Email — complaints | POPIAComplaints@inforegulator.org.za |
| Email — breach notifications | breachnotification@inforegulator.org.za |
| Website | https://inforegulator.org.za/ |
| Postal address | JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 |
Revision history
| Date | Version | Changes |
|---|---|---|
| 2026-05-20 | v0.1 (draft) | Initial draft; pending Information Officer + Deputy Information Officer + external counsel review and sign-off; pending implementation as a public page. |
| 2026-05-20 | v0.2 (draft) | Generalised sub-processor disclosure from named vendors to categories. Removed specific tool names from Section 7.2 (Technical measures). Generalised cookie/analytics references. |
| 2026-05-21 | v0.3 (draft) | Removed client name references from public-facing sections under client confidentiality. Generic "insurer customer" and "Tenant Insurer" terminology now used throughout. |
| 2026-05-27 | v0.4 (interim) | Published as interim notice pending external POPIA-knowledgeable counsel review. Personal names and addresses for the Information Officer and Deputy Information Officer removed from the public notice — role-based contact only. |