01 — Introduction
X Underwriting Managers (Pty) Ltd ("we", "us", "our", or "X Underwriting") acts as an authorised representative providing administrative and intermediary services on behalf of Compass Insurance Company Limited ("Compass Insure"), a licensed non-life insurer and authorised financial services provider, FSP 12148.
This Privacy Policy explains how we collect, use, store, share and protect personal information in compliance with the Protection of Personal Information Act 4 of 2013 ("POPIA"), the Promotion of Access to Information Act 2 of 2000 ("PAIA"), and all applicable South African data protection legislation.
This policy applies to all personal information collected through our website, applications, communications, and in the course of providing insurance-related services. By engaging with us, you acknowledge that you have read and understood this policy.
We may update this policy from time to time. We will notify you of material changes via a prominent notice prior to those changes taking effect.
02 — Definitions
Personal Information
Any information relating to an identifiable, living, natural person or existing juristic person, including but not limited to: name, identity number, contact details, financial information, health information, biometric information, and correspondence.
De-identified Information
Information from which all personal identifiers have been removed such that the individual cannot reasonably be re-identified. De-identified information is no longer considered personal information under POPIA and may be used for analytical, statistical, research, and machine learning purposes.
Processing
Any operation or activity concerning personal information, including collection, receipt, recording, organisation, storage, updating, retrieval, use, dissemination, merging, linking, restriction, degradation, erasure or destruction.
Responsible Party
X Underwriting Managers (Pty) Ltd, as the entity that determines the purpose of and means for processing your personal information.
Data Subject
The natural or juristic person to whom personal information relates — in most cases, this is you as our policyholder, beneficiary, or website visitor.
03 — Information We Collect
We collect personal information that is necessary, relevant and adequate for the purposes set out in this policy. The categories of information we may collect include:
Identity Information
Full name, identity or passport number, date of birth, gender, nationality.
Contact Details
Email address, phone number, residential and postal address.
Financial Information
Banking details for premium collection and claim payments, payment history.
Health Information
Medical aid membership details, medical records and clinical information relevant to claims assessment.
Policy Information
Policy number, cover type, beneficiary details, claims history.
Usage & Technical Data
IP address, browser type, device identifiers, pages visited, time and date of visits, and other diagnostic data collected when you use our website or applications.
Where you contact us by phone, email, post or any other method, we may retain those contact details and any additional information you provide for future reference and service delivery.
Incomplete submissions
We may retain information you provide on our website or application even if you do not complete a registration or transaction. This data may be used to follow up with you and to improve our online processes.
04 — Use of Information
We process your personal information for the following purposes, each of which has a lawful basis under POPIA:
De-identified data & machine learning
We may use de-identified, aggregated data — from which all personal identifiers have been irreversibly removed — for analytical, statistical, actuarial, research, and machine learning purposes. This includes training models to improve our underwriting processes, claims assessment, fraud detection, service design, and operational efficiency. Such de-identified data is not subject to POPIA's restrictions. We will never attempt to re-identify de-identified data.
05 — Cookies
Our website uses cookies — small text files stored on your device — to personalise your experience and improve site functionality. Each cookie is unique to your web browser and contains anonymous information such as a unique identifier and the website's domain name.
Types of cookies we useNecessary Cookies
Essential for the website to function correctly. They allow you to navigate and use core features such as account access.
Functionality Cookies
Remember your preferences and choices to provide a more personalised experience on return visits.
Analytical Cookies
Collect aggregated, non-personal statistical data about how visitors use our website, helping us improve the user experience.
You have the right to accept or decline cookies through your browser settings. Declining certain cookies may limit your ability to use some features of our website. We may use Google Analytics to monitor and analyse website usage — you can opt out by installing the Google Analytics opt-out browser add-on.
06 — Sharing Your Information
We do not sell, rent or lease your personal information to third parties. We may share your information only in the following circumstances and only to the extent necessary:
07 — Storage & Retention
Your personal information is stored on secure servers in controlled environments, protected through appropriate physical, electronic and administrative safeguards.
We retain your personal information only for as long as is necessary to fulfil the purposes for which it was collected, including:
When your information is no longer required, we will securely delete or de-identify it in accordance with our data retention schedule.
Cross-border transfers
Where personal information is transferred outside South Africa, we will ensure that the recipient country or organisation provides an adequate level of protection, or that appropriate safeguards are in place as required by POPIA section 72.
08 — Security
We implement appropriate technical and organisational measures to prevent unauthorised access, disclosure, alteration or destruction of your data, including encryption of data in transit (SSL/TLS), access controls, secure server environments and regular security reviews.
Please be aware that no method of electronic transmission or storage is completely secure. Where we have issued you a password to access parts of our website or systems, you are responsible for keeping that password confidential.
Security incidents
In the event of a security compromise that is likely to affect you adversely, we will notify you and the Information Regulator as required by section 22 of POPIA, without undue delay.
09 — Your Rights
As a data subject, you have the following rights in relation to your personal information. You may exercise these rights by contacting our Information Officer.
Right to Access
Request confirmation of whether we hold personal information about you and access that information.
Right to Correction
Request that we correct or update inaccurate, incomplete or outdated personal information we hold about you.
Right to Deletion
Request deletion or destruction of your personal information where we are no longer lawfully entitled to retain it.
Right to Object
Object to the processing of your personal information on reasonable grounds, including for direct marketing purposes.
Right to Withdraw Consent
Where processing is based on your consent, withdraw that consent at any time without affecting prior processing.
Right to Complain
Lodge a complaint with the Information Regulator of South Africa if you believe your rights under POPIA have been infringed.
Information Regulator contact details
The Information Regulator (South Africa) · JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 · Email: inforeg@justice.gov.za · Website: www.inforegulator.org.za
10 — Children's Privacy
Our services and website are not directed at persons under the age of 18. We do not knowingly collect personal information from children without verifiable parental or guardian consent.
If you are a parent or guardian and believe a child has provided us with personal information without your consent, please contact our Information Officer immediately. We will take prompt steps to remove that information from our records.
Where a minor is a beneficiary under a policy held by an adult, we will process only the minimum personal information of that minor necessary for the administration of the policy.
11 — Third-Party Links
Our website and applications may contain links to external websites. Once you navigate away from our platforms, we have no control over those external sites and are not responsible for the protection of any information you provide to them.
We encourage you to review the privacy policy of any external website you visit. Those sites are governed by their own privacy practices, not by this policy.
12 — Marketing Communications
We may use your personal information to send you marketing communications about our products and services where you have subscribed or where we have a legitimate interest to do so under POPIA.
You may opt out at any time by following the unsubscribe link in any marketing email, or by contacting our Information Officer. Opting out of marketing will not affect service-related communications necessary for the administration of your policy.
13 — Contact & Complaints
If you have any questions, concerns or requests relating to this policy or our handling of your personal information, please contact our Information Officer. We will acknowledge your request within a reasonable time and respond substantively within 30 days.
If you are not satisfied with our response, you have the right to escalate your complaint to the Information Regulator of South Africa at inforeg@justice.gov.za.