PaySick Privacy Policy
IMPORTANT PRIVACY NOTICE
This Privacy Policy explains how PaySick (Pty) Ltd ("PaySick", "we", "us", or "our") collects, uses, stores, shares, and protects personal information when you access or use the PaySick platform, products, and services (collectively, the "Service").
PaySick operates with financial‑services‑grade governance, security, and risk controls, notwithstanding that PaySick is not a bank, credit provider, or lender.
By using the Service, you acknowledge that your personal information will be processed in accordance with this Privacy Policy.
1. SCOPE AND APPLICATION
This Privacy Policy applies to:
- Customers and prospective customers;
- Healthcare Providers and their representatives;
- Website and application users;
- Any individual whose personal information is processed in connection with the Service.
This Policy is read together with the PaySick Terms of Service.
2. INFORMATION WE COLLECT
2.1 Personal Information
We may collect and process the following categories of personal information:
- Identity Information: full name, identity number, date of birth, nationality;
- Contact Information: email address, mobile number, residential address;
- Financial Information: bank account details, card tokens, payment history, settlement status;
- Transactional Information: payment plans, instalments, late fees, Provider details;
- Verification Information: identity verification outcomes, fraud and risk indicators;
- Technical Information: IP address, device identifiers, browser data, usage logs;
- Communications: customer support interactions, call recordings, correspondence.
2.2 Special Personal Information
PaySick does not intentionally collect medical records or detailed health information. However, limited health‑related transactional metadata (e.g. type of Provider or treatment category) may be processed strictly for payment facilitation, fraud prevention, and regulatory compliance.
3. PURPOSES OF PROCESSING
We process personal information for the following lawful purposes:
- To provide, operate, and administer the Service;
- To establish and manage Payment Plans;
- To process payments, debits, and settlements;
- To perform identity verification, fraud detection, and risk assessments;
- To enforce contractual obligations, including late payment recovery;
- To comply with legal, regulatory, and governance obligations;
- To respond to enquiries, complaints, and disputes;
- To improve platform security, performance, and resilience.
4. LEGAL BASIS FOR PROCESSING
PaySick processes personal information based on one or more of the following legal grounds:
- Contractual necessity – to perform obligations under the Terms of Service;
- Legal obligation – to comply with applicable laws and regulatory requirements;
- Legitimate interests – including fraud prevention, risk management, and business continuity;
- Consent – where explicitly obtained and required by law.
5. INFORMATION SHARING AND DISCLOSURE
We may share personal information with:
- Payment processors and banking partners;
- Identity verification and fraud prevention service providers;
- Debt recovery, legal, and enforcement partners;
- Healthcare Providers, strictly on a need‑to‑know basis;
- Regulators, supervisory bodies, law enforcement, or courts where required or permitted by law;
- Professional advisers, including auditors, lawyers, and risk consultants.
We do not sell personal information.
6. CROSS‑BORDER DATA TRANSFERS
Where personal information is transferred outside the Republic of South Africa, PaySick ensures that:
- The recipient jurisdiction provides an adequate level of data protection; or
- Appropriate contractual safeguards are in place.
7. DATA RETENTION
Personal information is retained only for as long as necessary to:
- Fulfil the purposes set out in this Policy;
- Meet legal, regulatory, audit, and risk requirements;
- Resolve disputes and enforce agreements.
Retention periods may extend beyond termination of the Service where required by law.
8. INFORMATION SECURITY (POPIA SECTIONS 19–22)
PaySick implements and maintains appropriate, reasonable technical and organisational measures as required under Sections 19 to 22 of the Protection of Personal Information Act, 4 of 2013 ("POPIA"), to prevent:
- Loss of, damage to, or unauthorised destruction of personal information;
- Unlawful access to or processing of personal information.
These measures include, but are not limited to:
- Risk Assessments (Section 19): Ongoing identification of internal and external risks to personal information, including cyber, fraud, operational, and third‑party risks;
- Safeguards (Section 19): Encryption of data at rest and in transit, secure key management, segregation of environments, access control based on least‑privilege principles, and secure software development practices;
- Verification (Section 19): Regular testing, monitoring, and review of security controls, including audits and third‑party assurance where appropriate;
- Operator Controls (Section 21): Written agreements with operators (processors) to ensure confidentiality, security safeguards, and compliance with POPIA;
- Personnel Controls: Confidentiality obligations, role‑based access, and security awareness training;
- Incident Response (Section 22): Documented breach detection, response, escalation, and remediation procedures.
Despite these safeguards, no system is entirely immune to risk, and you acknowledge the existence of residual risk inherent in digital services.
9. DATA SUBJECT RIGHTS
Subject to applicable law, you may have the right to:
- Access your personal information;
- Request correction or updating;
- Object to certain processing activities;
- Request deletion, where legally permissible;
- Lodge a complaint with the Information Regulator.
Requests may be subject to identity verification and lawful limitations.
10. AUTOMATED DECISION‑MAKING
PaySick may use automated systems to:
- Assess eligibility;
- Detect fraud;
- Manage payment risk.
Such decisions are subject to governance controls and human oversight where appropriate.
11. COOKIES AND TRACKING
PaySick uses cookies and similar technologies for security, analytics, and service optimisation. You may manage cookie preferences via your browser settings.
12. SECURITY COMPROMISE AND BREACH NOTIFICATION (POPIA SECTION 22)
In the event of a security compromise as contemplated in Section 22 of POPIA, PaySick will:
- Take immediate steps to contain and remediate the compromise;
- Conduct an assessment to determine the nature and scope of the incident;
- Notify the Information Regulator and affected data subjects as soon as reasonably possible, where required by law;
- Provide sufficient information to enable affected individuals to take protective measures.
Notification may be delayed where a law enforcement authority determines that such notification would impede a criminal investigation.
PaySick maintains incident records and post‑incident reviews to strengthen ongoing information security controls.
13. CHANGES TO THIS POLICY
PaySick may update this Privacy Policy periodically. Continued use of the Service constitutes acceptance of the updated Policy.
14. CONTACT DETAILS
By using PaySick, you acknowledge that your personal information is processed in accordance with financial‑services‑grade governance, security, and regulatory controls.