POPIA Notice
Last updated: 2026-06-10
This notice is issued in terms of the Protection of Personal Information Act 4 of 2013 (POPIA) and describes how ClaimPulse processes personal information.
1. Responsible party
ClaimPulse (the platform operator) is the responsible party for personal information collected directly from broker registrants. FSP-licensed brokers using ClaimPulse are the responsible parties for their clients' personal information; ClaimPulse acts as the operator.
2. Purpose of processing
Personal information is processed for the following lawful purposes:
- Providing the ClaimPulse compliance management service
- Processing subscription payments
- Sending transactional and operational communications
- Generating AI-assisted compliance documents
- Maintaining audit trails required by FSCA regulations
3. Categories of personal information
- Broker data: Name, email, phone, FSP number
- Client data: Name, email, phone, hashed ID number (SHA-256; raw ID never stored)
- Complaint/claim data: Descriptions, dates, resolution notes (no medical information stored)
- Financial data: Subscription payment records (card details held by PayFast, not ClaimPulse)
4. Special personal information
ClaimPulse does not store medical information. Medical aid claim records reference the claim type and outcome only. SA identity numbers are never stored in plaintext — only a one-way SHA-256 cryptographic hash is stored, which cannot be reversed to recover the original number.
5. Data retention
- Complaint and claim records: Retained for 5 years from date of resolution, as required by FSCA regulations, then auto-archived
- Broker account data: Retained while the subscription is active plus 30 days after cancellation
- Audit logs: Retained for 5 years — immutable, cannot be deleted earlier
6. Data residency
Personal information is stored on Supabase infrastructure located in EU West (Ireland). Ireland is subject to the EU General Data Protection Regulation (GDPR), which provides protections equivalent to or exceeding POPIA requirements. ClaimPulse will evaluate migration to a South African hosting region when Supabase or equivalent infrastructure becomes available.
7. Third-party operators
ClaimPulse discloses personal information to the following operators, each governed by their own privacy frameworks:
- Supabase Inc. — database and file storage (Ireland)
- Anthropic PBC — AI processing for document generation (USA). Complaint text is transmitted to Anthropic's API for letter and report drafting. Anthropic's enterprise data usage policy governs this processing.
- Resend Inc. — transactional email delivery
- PayFast (Network International) — payment processing (South Africa)
8. Security measures
ClaimPulse implements the following security measures:
- All data in transit encrypted with TLS 1.2+
- All data at rest encrypted at the database level
- Row-Level Security (RLS) on all database tables — brokers can only access their own data
- SA ID numbers stored as one-way SHA-256 hash only
- Authentication via Supabase Auth with email/password or magic link
9. Data subject rights
Under POPIA, you have the right to:
- Request access to your personal information
- Request correction of inaccurate information
- Request deletion of your information (subject to the 5-year FSCA retention obligation)
- Object to processing
- Lodge a complaint with the Information Regulator of South Africa (inforegulator.org.za)
To exercise these rights, contact us via the contact form. We will respond within 30 days.
10. Contact
Information Officer: ClaimPulse platform operator. Contact via claimpulse.co.za/contact.