This Privacy Policy explains how personal information is processed in My Personal Broker for broker and client administration, with specific attention to the Protection of Personal Information Act, 2013 (POPIA).
Personal information is used only for the platform purposes described here and for closely related operational, legal, security, and support purposes.
Responsible party and operator roles
For client portfolio and insurance administration data, the broker or brokerage normally determines why and how the information is processed and acts as the responsible party under POPIA.
My Personal Broker generally acts as an operator for that broker data by processing information through the platform on the broker instruction, except where it processes its own account, security, billing, support, or platform administration records.
Brokers remain responsible for giving clients any notices, mandates, consents, access channels, and regulatory disclosures required for their own insurance and advisory services.
Information processed
The platform may process broker organisation details, broker user profiles, client names, contact details, South African ID handling data, insurer details, policy numbers, current policy files, claim records, policy amendment details, claim attachments, document records, signed documents, signatures, initials, notifications, and audit events.
The platform also processes technical information needed for authentication, security, diagnostics, storage paths, timestamps, email routing, and operational logs.
Purpose limitation
Information is processed to authenticate users, link clients to brokers, manage client records, route claims and policy amendment requests, upload and display files, send documents for signature, create signed document records, notify relevant broker users, and support the platform.
The platform does not sell client data and does not use broker or client records for unrelated advertising purposes.
Security safeguards
The platform uses industry-standard technical and organisational safeguards intended to protect personal information against unauthorised access, loss, misuse, alteration, or disclosure.
Current safeguards include Supabase authentication, row-level security, broker and sub-broker data isolation, private storage buckets, limited signed file access, protected Edge Functions, encryption in transit, provider-side encryption at rest, and restricted handling of sensitive identity information.
South African ID numbers are validated and protected using hashed/encrypted storage patterns. The app displays only limited ID reference information where needed for broker administration.
Sharing and third-party providers
Information may be processed by hosting, database, authentication, storage, email, document, support, and similar service providers only where needed to operate the platform.
Claim and document information may be shared with the selected broker users, assistants, insurers, or recipients configured by the broker or required for the requested workflow.
Where the law requires disclosure, information may be disclosed to regulators, courts, law enforcement, or other authorised parties.
Retention, access, and correction
Records are kept for as long as needed for platform operation, broker administration, legal obligations, dispute handling, audit evidence, and reasonable backup or security purposes.
Clients should usually contact their broker to access, correct, or delete insurance administration information because the broker is normally the responsible party for that information.
Where My Personal Broker is responsible for a platform account or operational record, a user may request access, correction, or deletion through the support or contact process made available by the platform.
Security incidents
If there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, the platform will take reasonable steps to investigate, contain, and support required notifications.
Where the platform acts as an operator, it will notify the relevant responsible party as required so that the responsible party can manage Information Regulator and data subject notifications where applicable.
