Privacy Policy

Status: Interim — published 2026-05-27 pending external POPIA-knowledgeable counsel review. Material updates will be communicated under Section 11.

At a glance

If you don't want to read the whole policy, the most important points are:

1. Who we are

i Squared (Pty) Ltd ("i Squared", "we", "us", "our") is a private company incorporated in the Republic of South Africa:

PlatformA is the trading name we use for our insurance technology platform. References to "PlatformA" in this policy mean i Squared (Pty) Ltd operating the platform unless context indicates otherwise.

2. Which hat we're wearing — Responsible Party vs Operator

POPIA distinguishes between the Responsible Party (the organisation that decides what personal information to process and why) and the Operator (the organisation that processes personal information on behalf of the Responsible Party). The same organisation can be either at different times, depending on the context.

When we are the Responsible Party

We are the Responsible Party — and this policy applies in full — when you interact with us in any of the following ways:

When we are the Operator

We act as an Operator — meaning another organisation (the "Tenant Insurer") is the Responsible Party and we process under their instruction — when:

In those cases, the Tenant Insurer's privacy notice governs how your information is handled. We follow their instructions, under a written Operator Agreement that meets POPIA s20 and s21 requirements. We do not use your information for our own purposes, do not sell it, and do not share it outside the chain authorised by the Tenant Insurer.

If you are an end-policyholder unsure which insurer holds your policy, look at your policy schedule or claim acknowledgement — the Responsible Party is the insurer named on those documents.

3. What personal information we process

3.1 When we are the Responsible Party

When you interact with us directly, we may process:

CategoryExamplesWhen we collect
Contact detailsName, work email, work phone, work addressWhen you contact us, request a demo, sign up, apply for work
Professional contextJob title, employer, the role you play in your organisationWhen you contact us or apply to use PlatformA
Technical and security dataIP address, browser and device characteristics, pages visited, referrer, authenticated request metadataWhen you use platforma.co.za or app.platforma.co.za
CommunicationsEmails, calls, meeting notes and (where applicable) transcriptsWhen we communicate with you
Sign-in dataIdentity provider account identifier, sign-in timestamps, MFA eventsWhen you sign in to PlatformA
Employment data (where applicable)CV, ID number, banking details, tax number, pay recordsIf you apply for work or are employed by us

We collect this information mainly from you, directly. In some cases we receive it from professional networks (e.g., LinkedIn), from a Tenant Insurer who refers you to us, or from publicly-available sources.

3.2 When we are the Operator

When you are an end-policyholder, claimant, broker, or funeral parlour user of an insurer's PlatformA tenancy, the categories processed depend on what the Tenant Insurer instructs us to do. Typically:

CategoryExamples
IdentificationNames, South African ID numbers, dates of birth, gender
ContactPostal address, residential address, phone numbers, email
Policy dataPolicy number, sums assured, premiums, benefits, cover dates, beneficiary nominations
Claim dataClaim event details, documents uploaded (death certificate, ID copy, banking confirmation, medical records where relevant)
BankingAccount number, branch, account holder name (for premium collection or claim payout)
Special personal information (POPIA s26)Health information, cause of death (claims only), biometric information if used for identity verification
Children's personal information (POPIA s34)Beneficiary or dependent details where the data subject is under 18

All processing here is on behalf of the Tenant Insurer and under their privacy notice.

3.3 Cookies and tracking on our website

We use a small set of tracking technologies on platforma.co.za and i2consulting.co.za:

We do not use advertising trackers, profiling pixels, or analytics that follow visitors across sites. We do not sell or share visitor data with advertisers.

You can clear cookies or disable them in your browser at any time. Doing so will prevent you signing in to PlatformA but won't otherwise affect your visit to the public website.

4. Why we process personal information (the legal basis)

POPIA requires every act of processing to have a lawful basis under section 11. The lawful basis depends on the context:

Processing purposeLawful basis (s11)Hat
Responding to your enquirys11(1)(a) — your consent (implied by you contacting us)RP
Sending you information about our services after you've askeds11(1)(a) — consentRP
Administering a contract with you (e.g., as a customer, employee, vendor)s11(1)(b) — performance of contractRP
Complying with statutory obligations (CIPC, SARS, Information Regulator filings)s11(1)(c) — legal obligationRP
Protecting the security of our systems and yourss11(1)(d) — protection of legitimate interest of data subject; s11(1)(f) — legitimate interest of i SquaredRP
Recruitment and employee managements11(1)(b) — pre-contractual; s11(1)(c) — labour lawRP
Processing on behalf of a Tenant InsurerTheir lawful basis (typically s11(1)(b) — performance of insurance contract)Operator
Special personal information (e.g., cause of death)s27 — explicit consent obtained by the Tenant Insurer at policy or claim stageOperator
Children's personal informations35 — parental/guardian consent or s35(1)(b) where pursuant to law (e.g., paying a benefit to a minor)Operator

5. Who we share personal information with — sub-processors

We share personal information only as necessary to provide our services and meet our legal obligations. We do not sell personal information.

5.1 Categories of sub-processor

We use a small set of third-party service providers ("sub-processors") to operate the PlatformA platform. Each sub-processor is engaged under an Operator Agreement meeting POPIA s20-21 requirements. We disclose them by category below; the current named list, including their identity, data residency, and contractual safeguards, is available on request from our Information Officer and is disclosed to insurer customers under their Operator Agreements.

CategoryWhat they doData residencySafeguards
Cloud infrastructure providerCompute, database, storage, identity, and key management for the PlatformA platformPrimary: South Africa. Limited identity, anti-spam, and security telemetry may be processed in EU or US regions.International security certifications (ISO 27001, SOC 2 Type II) and a Data Protection Addendum aligned with POPIA s20-21
AI processing sub-processorLarge language model used to assist with operational tasks including claim document review and internal operationsUnited StatesOperator Agreement; Zero Data Retention or equivalent configuration so prompts and outputs are not retained and are not used to train models
Edge security and content delivery providerWeb Application Firewall, DDoS protection, rate limiting, DNS, and content delivery for our public-facing domainsGlobally distributed edge networkInternational security certifications and a Data Protection Addendum aligned with POPIA
Transactional email providerSending authentication codes, system notifications, and other transactional emailEU + South AfricaSame Data Protection Addendum as the cloud infrastructure provider
Productivity and collaboration providerEmail, calendar, document storage for our staff (incidentally contains your information when you correspond with us)EU + globalInternational security certifications and a Data Protection Addendum aligned with POPIA

If you want the names of our current sub-processors, contact our Information Officer (Section 12). We will respond within a reasonable time, normally within 30 days.

5.2 Cross-border transfer

Some processing takes place outside South Africa. Categories of cross-border processing include:

We rely on the following POPIA s72 lawful bases for cross-border transfer:

If you would like more detail on the contractual safeguards in place, contact our Information Officer.

5.3 Other recipients

In specific circumstances, we may also disclose personal information to:

6. How long we keep personal information

CategoryRetention period
Website analyticsAggregated within 30 days; no per-visitor records retained beyond a session
Sign-in logs and security audit logsMinimum 1 year, up to 7 years where there has been an investigated incident
Contact form and enquiry correspondence3 years from last contact
Customer records (Tenant Insurer agreements)Duration of contract + 7 years (FAIS Act and insurance industry norm)
Operator-processed policyholder dataPer the Tenant Insurer's instructions — typically duration of policy + 5 years to support audit and reinsurance
Employment recordsDuration of employment + 5 years (Basic Conditions of Employment Act requirement)
Breach response records5 years from incident closure
Financial records (invoices, tax)5 years (Tax Administration Act)

When the retention period ends, we delete or de-identify the personal information unless we are required by law to retain it longer.

7. How we keep personal information secure

POPIA s17 requires reasonable organisational and technical measures to safeguard personal information. Our measures include:

7.1 Organisational measures

7.2 Technical measures

We do not publicly detail the specific tools, rules, or thresholds we use, because doing so would assist anyone attempting to bypass them. We review and update our security measures regularly as threats and technology evolve, and audit and assurance evidence is available to insurer customers and regulators under appropriate confidentiality terms.

8. If something goes wrong — breach notification

We have a documented incident response process. If personal information has been or may have been compromised, we will:

The notification will include the nature of the compromise, the categories of personal information affected, the likely consequences, the measures we have taken to mitigate, and the steps you can take to protect yourself.

9. Your rights under POPIA

You have the following rights in relation to personal information we hold about you:

9.1 Right of access (POPIA s23)

You can ask us to confirm whether we hold personal information about you, and to provide you with a copy. There is no charge for a first request in a calendar year. We will respond within a reasonable time, normally within 30 days.

9.2 Right to correction or deletion (POPIA s24)

You can ask us to correct any information that is wrong, out of date, misleading, or excessive. You can ask us to delete information we no longer have a lawful basis to hold.

9.3 Right to withdraw consent

Where we process on the basis of your consent, you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. In some cases, withdrawal may affect our ability to provide a service to you (e.g., if you withdraw consent for processing necessary to administer a contract, the contract may need to be terminated).

9.4 Right to object (POPIA s11(3))

You can object to processing on the basis of legitimate interest (s11(1)(f)) — for example, if you are uncomfortable with our use of security logs that include your IP address. We will consider the objection and either stop the processing, restrict it, or explain to you why we believe it should continue.

9.5 Right to require human review of automated decision-making (POPIA s71)

We use AI in claims-decision-support, but every claim outcome is decided by a person, not the AI. If you are nevertheless concerned about how an automated process affected you, you have the right to require human review of the decision, and an explanation of how the decision was reached. Contact us, or contact the Tenant Insurer if your concern relates to a specific claim or policy.

9.6 Right to complain (POPIA s74)

You have the right to lodge a complaint with us, with the Tenant Insurer (where we are acting as Operator), and with the Information Regulator. Our preferred path is that you raise the concern with us first so we can address it — but you are not obliged to do so before approaching the Regulator.

The Information Regulator's contact details are at the end of this policy.

10. Special information about specific contexts

10.1 AI and automated decisions

PlatformA uses an AI model — operated by our AI processing sub-processor (Section 5.1) under a Zero Data Retention configuration — to read claim documents and produce a structured "Decision Pack" for the Tenant Insurer's human assessor. The AI does not make decisions; it summarises and flags. The final decision is always made by a person.

We use AI because it speeds up claim processing, reduces inconsistency between assessors, and frees the human assessor to focus on the cases that genuinely need their judgment. This is in line with Treating Customers Fairly principles — faster, more consistent claim decisions benefit the policyholder.

If you have any concern about how AI was used in a decision affecting you, you have the s71 right to require human review.

10.2 Children's personal information

Some of our processing relates to children — typically because a child is named as a beneficiary or dependent on a funeral policy. POPIA s34 prohibits processing children's personal information except in specific circumstances, including:

We do not market to children, do not collect children's information directly from children, and do not process children's information for profiling or behavioural advertising.

10.3 Special personal information

Cause of death, medical history, and (where applicable) biometric information used for identity verification are Special Personal Information under POPIA s26. We process these only under the explicit consent obtained by the Tenant Insurer (s27(1)(a)) at policy or claim stage, or under one of the specific authorisations in s27.

10.4 Direct marketing

We do not engage in direct marketing under POPIA s69 unless you have given your specific consent. Information about our services on our website, in white papers, and in publicly-distributed materials is not direct marketing; targeted email or SMS to you specifically is.

If you receive an email from us that you consider direct marketing, you can unsubscribe at the link in the email, or contact our Information Officer.

11. Changes to this policy

We may update this policy from time to time, for example to reflect a change in sub-processors, a new feature in the platform, or a regulatory change. Material changes will be:

The version date and history are at the bottom of this policy.

12. Contact details

Our Information Officer

RoleInformation Officer (appointed and registered with the Information Regulator)
Emailprivacy@i2consulting.co.za

Our Deputy Information Officer

RoleDeputy Information Officer (appointed)
Emailprivacy@i2consulting.co.za (same shared inbox)

We do not publish personal names or postal addresses for the Information Officer or Deputy Information Officer roles in this public notice. Personal contact details are recorded in the Information Regulator's registry and are available to data subjects, regulators, and counterparties on request via the privacy@i2consulting.co.za channel.

The Information Regulator (South Africa)

Email — generalinforeg@justice.gov.za
Email — complaintsPOPIAComplaints@inforegulator.org.za
Email — breach notificationsbreachnotification@inforegulator.org.za
Websitehttps://inforegulator.org.za/
Postal addressJD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

Revision history

DateVersionChanges
2026-05-20v0.1 (draft)Initial draft; pending Information Officer + Deputy Information Officer + external counsel review and sign-off; pending implementation as a public page.
2026-05-20v0.2 (draft)Generalised sub-processor disclosure from named vendors to categories. Removed specific tool names from Section 7.2 (Technical measures). Generalised cookie/analytics references.
2026-05-21v0.3 (draft)Removed client name references from public-facing sections under client confidentiality. Generic "insurer customer" and "Tenant Insurer" terminology now used throughout.
2026-05-27v0.4 (interim)Published as interim notice pending external POPIA-knowledgeable counsel review. Personal names and addresses for the Information Officer and Deputy Information Officer removed from the public notice — role-based contact only.