This policy is issued in terms of Section 18 of POPIA (duty to notify data subjects at time of collection) and must be read together with our Terms of Service.
PaySick is a payment facilitation platform, not a bank or deposit-taking institution. The collection and processing of your personal information described in this policy does not constitute, and shall not be construed as, an offer of credit, a guarantee of approval, or the assumption of any financial liability by PaySick beyond the specific payment arrangement confirmed to you in writing.
The processing of your personal information, including any suitability or affordability assessment carried out before approving a payment plan, does not create any entitlement to a payment plan, does not imply approval of your application, and does not give rise to any claim against PaySick in respect of an assessment decision. Assessment decisions are communicated separately and this privacy policy governs information processing only.
PaySick is not liable for the quality, safety, or outcome of any medical treatment, healthcare service, or advice provided by healthcare providers whose bills are facilitated through our platform. Our role is strictly financial: we facilitate payment. We do not endorse, certify, or take responsibility for clinical services.
1. Who We Are
PaySick South Africa (Pty) Ltd ("PaySick", "we", "us", "our") is a private company incorporated under the laws of the Republic of South Africa. We operate a healthcare payment facilitation service that allows eligible patients to spread approved medical bills over structured monthly instalments via debit order.
PaySick is:
- A payment facilitation platform operating in compliance with applicable South African law
- The Responsible Party as defined in Section 1 of POPIA in respect of all personal information processed through our platform
- An accountable institution for purposes of FICA in respect of financial services offered
Our duly appointed Information Officer, as required by Section 55 of POPIA, is contactable at privacy@paysick.co.za.
2. South African Legal Framework
This policy is crafted to comply with the following South African legislation:
| Legislation | Relevance to PaySick |
|---|---|
| POPIA (Protection of Personal Information Act 4 of 2013) | Primary framework governing all personal information processing. Eight lawful processing conditions apply. |
| NCA (National Credit Act 34 of 2005) | Applies where our payment arrangements constitute credit agreements as defined by the NCA. Governs affordability assessment and related obligations. |
| FICA (Financial Intelligence Centre Act 38 of 2001) | Requires identity verification (KYC) and reporting of suspicious transactions to the Financial Intelligence Centre. |
| CPA (Consumer Protection Act 68 of 2008) | Protects consumers from unfair information practices and governs direct marketing opt-out rights. |
| ECTA (Electronic Communications and Transactions Act 25 of 2002) | Governs electronic contracts, authentication, and data messages. |
| PAIA (Promotion of Access to Information Act 2 of 2000) | Section 32 of the Constitution and PAIA grant access to information held by juristic persons. |
3. The Eight POPIA Conditions for Lawful Processing
PaySick processes your personal information only where all applicable conditions of Chapter 3 of POPIA are satisfied:
4. Personal Information We Collect
4.1 Information You Provide Directly
| Category | Specific fields | Why collected |
|---|---|---|
| Identity | Full name, 13-digit SA ID number, date of birth | FICA KYC, suitability assessment, fraud prevention |
| Contact | Email address, cell phone number, postal code | Service delivery, payment reminders, account notifications |
| Financial | Bank account details (encrypted), declared monthly income, existing obligations, debit order date preference | Affordability assessment, debit order collection |
| Healthcare | Medical bill amount, treatment type, healthcare provider, medical aid scheme and option | Application assessment, bill settlement, pricing |
| Credentials | Password (stored as a secure hash only, never in plain text) | Account authentication |
| Consent records | Terms acceptance flag, POPIA consent flag, consent timestamp, IP address at consent | Regulatory audit trail and evidence of lawful processing basis |
4.2 Information Collected Automatically
- IP address at registration, login, and each application submission (fraud prevention and security audit logging)
- Browser user-agent string (device type detection)
- Session token hashes (no raw tokens are stored)
- Application completion timestamps (security and fraud signals)
4.3 Information from Third Parties
- Credit bureaus (registered South African bureaus): where relevant and with your consent, we may obtain information to assist with affordability assessment
- Medical aid administrators: claims history and benefit status, only where you have consented to disclosure by your scheme
5. Special Personal Information
Section 26 of POPIA prohibits the processing of "special personal information" except in limited circumstances. PaySick processes the following special categories:
- Health information (s26(1)(c)): Treatment type and medical bill context. We process this on the basis of your explicit consent (s27(1)(a)) and because it is necessary for the establishment, exercise, or defence of a right or obligation in law (s27(1)(b)), specifically for the purpose of facilitating payment of a lawfully rendered medical service.
- Financial information: Processed on the basis of contractual necessity and your express consent.
We apply heightened security controls to all special personal information, including field-level AES-256-GCM encryption and access restricted to authorised personnel on a need-to-know basis only.
6. Why We Process Your Information
| Purpose | Legal basis under POPIA s11 |
|---|---|
| Account registration and identity verification | Contractual necessity (s11(1)(b)); Legal obligation under FICA (s11(1)(c)) |
| Suitability and affordability assessment | Contractual necessity (s11(1)(b)); Legal obligation where applicable (s11(1)(c)); Consent (s11(1)(a)) |
| Processing and settling your healthcare payment application | Contractual necessity (s11(1)(b)) |
| Collecting monthly instalments via debit order | Contractual necessity (s11(1)(b)); Your express debit order authorisation |
| Payment conduct reporting where required by law | Legal obligation (s11(1)(c)) where applicable |
| Fraud detection and prevention | Legitimate interest (s11(1)(f)); balancing test conducted; our interest does not override yours |
| Security event logging and audit trails | Legal obligation (POPIA s19, FICA); Legitimate interest (s11(1)(f)) |
| Transactional communications (payment reminders, status updates) | Contractual necessity (s11(1)(b)) |
| Direct marketing communications | Consent only (s11(1)(a)); opt out at any time (see Section 13) |
| Regulatory reporting to applicable authorities | Legal obligation (s11(1)(c)) |
| Improving our service using anonymised, aggregated data | Legitimate interest (s11(1)(f)); data is fully anonymised before use and no individual can be re-identified |
7. Disclosure of Personal Information
We do not sell, rent, or trade your personal information. We disclose it only as follows:
7.1 Operators (POPIA s20-22)
We engage the following operators under written data processing agreements imposing equivalent POPIA obligations:
- Vercel Inc.: hosting and serverless compute (USA; see Section 9 on cross-border transfers)
- Neon Inc.: PostgreSQL database hosting (USA; see Section 9)
- SMS and email delivery providers: transactional notifications only
7.2 Third-Party Recipients
- Credit bureaus (registered South African bureaus): where applicable, for assessment purposes and payment conduct reporting
- Healthcare providers: only the minimum information necessary to confirm your treatment and effect settlement
- Debit order processing bureau: bank account details for DebiCheck collection, subject to equivalent security controls
- Financial Intelligence Centre (FIC): suspicious transaction reports (FICA s29) and cash threshold reports (FICA s28A) where required
- Applicable regulators: information as required by law
- Law enforcement and courts: only when compelled by a valid court order, warrant, or statutory obligation
We will never disclose your personal information to any political party, political organisation, or for political profiling purposes.
8. Cross-Border Transfers
Section 72 of POPIA restricts the transfer of personal information to foreign countries. We transfer information to Vercel Inc. and Neon Inc. (both headquartered in the United States) solely for hosting purposes.
These transfers are permissible because:
- Recipient entities are bound by data processing agreements imposing obligations substantially equivalent to POPIA's conditions (s72(1)(a)); and
- The transfers are necessary for performance of the contract between you and PaySick (s72(1)(d))
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Banking details are additionally encrypted at the application layer before transmission. We never transfer personal information to a country solely to avoid South African law.
9. Retention Periods
| Data type | Retention period | Legal basis |
|---|---|---|
| Payment arrangement records | 5 years after account closure | Applicable statutory requirements |
| FICA KYC records | 5 years after business relationship ends | FICA Section 23 |
| Security audit logs | 3 years | POPIA Section 19 |
| POPIA consent records | Duration of processing plus 3 years | POPIA Section 11(1)(a): evidence of lawful basis |
| Payment transaction records | 5 years | Applicable statutory requirements |
| Inactive accounts (no payment arrangement) | 3 years from last activity, then deleted | POPIA Section 14: destruction when no longer necessary |
| Anonymised analytics | Indefinite (no personal data retained) | POPIA s1: anonymised data falls outside definition of personal information |
At the end of each retention period, personal information is securely deleted or de-identified per POPIA Section 14.
10. Security Safeguards
In compliance with POPIA Section 19, we maintain the following technical and organisational measures:
Technical controls
- AES-256-GCM encryption for all banking details at rest (field-level; encryption keys stored separately from data)
- Secure password hashing using a strong, slow hashing algorithm; passwords are never stored, logged, or recoverable in plain text
- Opaque session tokens stored only as cryptographic hashes; raw tokens are never persisted
- TLS 1.2+ in transit enforced via HSTS with a 1-year max-age
- Rate limiting on login and registration endpoints to prevent brute-force attacks
- Account lockout after repeated failed authentication attempts
- Immutable security audit log covering all authentication and data access events
Organisational controls
- Principle of least privilege: employees access only data necessary for their role
- Confidentiality obligations in all employment and contractor agreements
- Annual security awareness training for all staff with access to personal information
- Incident response plan maintained and tested annually
Security breach notification (POPIA s22)
If we reasonably believe your personal information has been accessed by an unauthorised person, we will notify the Information Regulator and affected data subjects as soon as reasonably possible, including the nature of the breach, categories of information involved, and steps you can take to protect yourself.
11. Your Rights as a Data Subject
To exercise any right, email privacy@paysick.co.za with the subject "POPIA Request: [Right]". We will acknowledge within 3 business days and respond within 30 days as required by Section 23(3) of POPIA.
12. Direct Marketing
We send promotional communications only to existing customers who have not opted out, per POPIA Section 69 and CPA Section 11. You may opt out at any time by:
- Clicking the unsubscribe link in any marketing email
- Replying "STOP" to any marketing SMS
- Emailing privacy@paysick.co.za with subject "Opt-Out"
Opting out of marketing will not affect transactional communications necessary for the performance of your agreement.
13. Cookies
PaySick does not use advertising cookies, cross-site tracking pixels, browser fingerprinting, or social media tracking. We use only strictly necessary session cookies that enable authentication and are deleted when you close your browser or after your 24-hour session expires. No consent banner is required for strictly necessary cookies under POPIA or ECTA.
14. Children
Our platform is restricted to persons aged 18 years and older. We do not knowingly collect personal information from minors. If we discover that a minor's information has been collected, we will immediately delete it and notify the Information Regulator if required.
15. FICA Compliance
As an accountable institution under Schedule 1 of FICA, PaySick must:
- Verify your identity using your SA ID number before providing services (FICA s21)
- Maintain records of identity verification for a minimum of 5 years (FICA s23)
- Report suspicious transactions to the Financial Intelligence Centre (FICA s29); we are not permitted to disclose if such a report has been made
- Report cash transactions above the prescribed threshold (FICA s28)
These obligations exist independently of your consent and cannot be waived. Compliance with FICA overrides conflicting data subject requests where the law requires retention.
16. Changes to This Policy
We may update this policy to reflect changes in law, our services, or our processing activities. We will:
- Post the updated policy with a revised effective date
- Notify registered users by email of material changes at least 14 calendar days before they take effect
- Obtain fresh consent where a change requires it
17. Contact Our Information Officer
Email: privacy@paysick.co.za
Subject line: "POPIA Request: [Access / Correction / Deletion / Objection / Complaint]"
Postal: Information Officer, PaySick South Africa (Pty) Ltd, Cape Town, South Africa
Response time: 3 business days acknowledgement; 30-day substantive response (POPIA s23(3))
Email: inforeg@justice.gov.za | Website: www.justice.gov.za/inforeg
Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg 2001