Privacy Notice
Patient Cover™ | Protection of Personal Information Act 4 of 2013 | Section 18 Disclosure
1. Introduction
Medmal Plus (Pty) Ltd, trading as nownow ("we", "us", "our"), is committed to protecting your personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA). This Privacy Notice explains how we collect, use, store, share, and protect your personal information in connection with your Patient Cover™ policy.
This notice is issued pursuant to section 18 of POPIA and forms part of the contractual framework governing your Patient Cover policy. Please read it alongside the Patient Cover Benefits Schedule.
Questions about your personal information? Contact our Information Officer: Evander Obi — support@nownow.insure (IO Reg. No. 2026-010859).
2. Who We Are (Responsible Party)
| Detail | Information |
|---|---|
| Company | nownow (Pty) Ltd (trading as nownow / also known as MedMal Plus (Pty) Ltd) |
| CIPC Registration | 2019/494004/07 |
| Underwriter | GENRIC Insurance Company Limited (Reg. No. 2005/037828/06) |
| Information Officer | Evander Obi |
| IO Registration No. | 2026-010859 (Information Regulator of South Africa) |
| Contact | support@nownow.insure |
3. What Personal Information We Collect
3.1 Identifying Information
- Full name, date of birth, gender
- South African identity number or passport number
- Contact details: email address, telephone number, postal address
3.2 Health and Medical Information (Special Personal Information)
We process health data as Special Personal Information under section 26 of POPIA, including:
- Medical records, clinical notes, hospital admission and discharge records
- Surgical and procedural reports relating to the covered Medical Procedure
- Whole Person Impairment (WPI) ratings and physical evaluation results
- Diagnostic imaging, pathology, and test results
3.3 Financial Information
- Bank account details for Benefit Pay-out purposes
- Premium payment records
3.4 Policy and Claims Information
- Policy number, enrolment type, Cover Start Date
- Claim history, Assessment Conclusions, and dispute records
- Settlement agreements and signed consent forms
4. Why We Process Your Personal Information
- Administering your Patient Cover policy and issuing Policy Confirmation Documents
- Conducting Claims Assessments and Physical Evaluations
- Calculating and processing Benefit Pay-outs
- Verifying eligibility and the validity of claims
- Communicating with you about your policy and claims
- Complying with legal and regulatory obligations (Insurance Act, FSRA, POPIA)
- Detecting and preventing fraud and anti-selection
- Resolving disputes and responding to complaints or Ombudsman referrals
We do not use your personal information for automated decision-making that produces legal effects without human review.
5. Lawful Basis for Processing
| Processing Activity | Lawful Basis (POPIA) |
|---|---|
| Policy administration and claims processing | s.11(1)(b) — performance of contract |
| Health and medical information | s.26 — explicit consent at enrolment |
| Legal and regulatory compliance | s.11(1)(c) — legal obligation |
| Fraud prevention | s.11(1)(f) — legitimate interest |
| Marketing communications (optional) | s.11(1)(a) — your voluntary consent |
6. Who We Share Your Information With
Underwriter
GENRIC Insurance Company Limited — for underwriting, risk management, and regulatory reporting.
Clinical Assessment Partner
Siza Medical (or the provider confirmed in your Policy Confirmation Document) — for Preliminary Assessments and Physical Evaluations.
Technology Operators
We use the following service providers, each bound by a Data Processing Agreement:
| Operator | Role | Country |
|---|---|---|
| Railway App Inc. | Cloud infrastructure hosting | USA (EU SCCs) |
| Supabase Inc. | Database hosting | USA (EU SCCs) |
| Clerk Inc. | Authentication and identity | USA (EU SCCs / DPF) |
| Twilio Inc. (SendGrid) | Email communications | USA (EU SCCs) |
| SignWell Inc. | Electronic signatures | USA (EU SCCs) |
Regulators and Authorities
- Financial Sector Conduct Authority (FSCA)
- Information Regulator of South Africa
- South African Police Service (where fraud is suspected)
7. Transfer of Personal Information Outside South Africa
All five of our technology operators are based in the United States of America. Transfers are protected under section 72 of POPIA by the following mechanisms:
| Mechanism | POPIA Basis |
|---|---|
| EU Standard Contractual Clauses in Data Processing Agreements | s.72(1)(a) — adequate contractual protection |
| EU-US Data Privacy Framework certification (Clerk, Railway) | s.72(1)(a) — adequate protection |
| Your explicit consent given at enrolment | s.72(1)(b) — data subject consent |
| Necessity for performance of your Patient Cover contract | s.72(1)(c) — contractual necessity |
By enrolling for Patient Cover, you explicitly consent to the transfer of your personal information (including health data) to the operators listed above, on servers in the USA, subject to these protections. You may withdraw this consent at any time by contacting help@nownow.insure, noting that withdrawal may affect policy administration.
8. How Long We Keep Your Information
| Category | Retention Period |
|---|---|
| Policy records (active) | Duration of cover plus 5 years |
| Claims and medical records | 7 years from claim closure |
| Identity documents | 5 years from policy cancellation |
| Electronic communications | 3 years |
After the applicable period, personal information is securely deleted or de-identified.
9. How We Protect Your Information
- Encryption in transit (TLS) and at rest for all personal information
- Role-based access controls limiting access to authorised personnel only
- Multi-factor authentication for all platform access
- Data Processing Agreements with all operators requiring equivalent security
In the event of a security breach, we will notify the Information Regulator and affected members as soon as reasonably possible (POPIA s.22).
10. Your Rights Under POPIA
| Right | What This Means | How to Exercise |
|---|---|---|
| Access (s.23) | Request your personal information held by us | Email support@nownow.insure |
| Correction (s.24) | Request correction of inaccurate information | Email support@nownow.insure |
| Deletion (s.24) | Request deletion where we are no longer entitled to retain | Email support@nownow.insure |
| Objection (s.11(3)) | Object to processing on grounds relating to your situation | Email support@nownow.insure |
| Withdraw consent | Withdraw any consent-based processing at any time | Email support@nownow.insure |
| Complain (s.74) | Lodge a complaint with the Information Regulator | See section 11 below |
We will respond to all requests within 30 days.
11. How to Complain
Contact us first
- Information Officer: Evander Obi
- Email: support@nownow.insure
- Reference: IO Registration No. 2026-010859
We will acknowledge your complaint within 5 Business Days and aim to resolve it within 30 calendar days.
Information Regulator of South Africa
- Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
- Email: complaints.IR@justice.gov.za
- Website: www.inforegulator.org.za
- Helpline: 012 406 4818
12. Updates to This Notice
We may update this Privacy Notice from time to time. Where changes are material, we will notify you by email to your registered address at least 30 days before the change takes effect. The current version is always available on request from support@nownow.insure.