Phishield Privacy Statement

Purpose of this Statement

This Privacy Statement sets out how your personal information will be processed by Phishield UMA (Pty) Ltd (“Phishield”, “we”, “us” or “our”) in the course of providing insurance products and services on behalf of Bryte Insurance Company Limited (“the Insurer”). This Statement applies to any personal information, including special personal information, which you provide to Phishield or which Phishield may collect from third parties.

This Statement is subject to mandatory, unalterable provisions of applicable laws, including the Protection of Personal Information Act 4 of 2013 (“POPIA”), the Promotion of Access to Information Act 2 of 2000 (“PAIA”), and applicable insurance and financial services legislation. It is important that you read this Statement carefully before submitting any personal information to us. We process personal information in a lawful, reasonable and transparent manner. If you do not agree with this Statement, we may not be able to provide our products or services to you.

We may amend this Statement from time to time to reflect changes in legal, regulatory or operational requirements. Updated versions will be published on our website. Where changes are material, we will notify affected data subjects via email or other appropriate means.

This document is version 2 and is effective as of 1 March 2026. This document is reviewed annually.

Relationship to Insurer

Phishield UMA (Pty) Ltd, an authorized financial services provider (FSP 46418) performs certain underwriting, policy administration and claims-related functions on behalf of Bryte, a licensed insurer, in terms of a binder agreement. In terms of the agreement:

     •    Bryte remains the licensed insurer and primary responsible party
     •    Phishield acts within delegated authority
     •    Certain records are held on behalf of Bryte

Phishield processes information in accordance with Bryte’s instructions, applicable law, and delegated authority. Where records relate to policies underwritten by Bryte, such records are deemed to be held on behalf of Bryte and access requests may be redirected to or jointly handled with Bryte.

Depending on the processing activity, Phishield may act as an operator as contemplated in POPIA, processing personal information on behalf of Bryte as responsible party. Phishield maintains records in a manner that ensures full accessibility to Bryte for audit, oversight, regulatory reporting and compliance purposes. In certain instances, Phishield and Bryte may act as joint responsible parties where both determine the purpose and means of processing. If you are uncertain whether Phishield or Bryte is the responsible party for your specific processing activity, please contact our Information Officer who will assist in directing your request appropriately.

This Statement also forms part of Phishield’s commitment to Treating Customers Fairly (TCF), ensuring transparency, accessibility of information, and fair handling of requests and complaints.

A copy of Bryte’s privacy statements is available for download via https://www.brytesa.com/legal?section=access-to-information

How to Contact Us

Information Officer:            Lilian Mooney
Email:                                         lilian@phishield.com
Tel:                                               +27 (0) 10 312 5257

Phishield has appointed and registered an Information Officer in accordance with POPIA.

Lawful Basis for Processing

Personal information is processed in the course of providing financial services, including underwriting, policy administration, intermediary services, and claims handling. We process your personal information on one or more of the following lawful grounds:

     •     Your consent;
     •     The conclusion or performance of an insurance contract;
     •     Compliance with legal or regulatory obligations;
     •     The protection of legitimate interests (including fraud prevention and risk management);
     •     The establishment, exercise or defence of legal claims.

Where consent is required, you may withdraw such consent subject to legal or contractual limitations.
Where automated decision-making or profiling is used in underwriting, risk assessment or fraud detection, such processing will be conducted in accordance with Section 71 of POPIA and subject to appropriate safeguards, including the right to request human intervention where applicable.

Phishield maintains records in accordance with, inter alia:

     •     Insurance Act 18 of 2017
     •     Financial Advisory and Intermediary Services Act 37 of 2002
     •     Protection of Personal Information Act 4 of 2013
     •     Promotion of Access to Information Act 2 of 2000
     •     Financial Intelligence Centre Act 38 of 2001
     •     Companies Act 71 of 2008
     •     Financial Sector Regulation Act 9 of 2017

Data Subject Categories

The following categories of data subjects apply:

     •     Policyholders /Insured persons
     •     Intermediaries
     •     Employees
     •     Service providers

For a comprehensive list of rights, please refer to Phishield’s PAIA Manual available for download via www.phishield.com.

Information we may Collect

We may collect and process the following categories of information (not exhaustive):

     •     Name, address and contact details;
     •     Identity number, passport number, date and place of birth;
     •     Employment details and financial information;
     •     Banking details;
     •     Tax number;
     •     Credit information obtained from a registered Credit Bureau;
     •     Claims history and underwriting information;
     •     Records of correspondence or enquiries;
     •     Details of contracts and transactions;
     •     Sensitive or special personal information, including biometric information such as images, voice recordings or fingerprints;
     •     Information required to detect, investigate, prevent or mitigate fraud and financial crime.

Where you provide us with personal information of third parties, you warrant that you are authorised to do so and that those parties are aware of this Privacy Statement. We recommend that you share this Privacy Statement with any third party whose personal information you provide to us.

How we Collect Information

We may collect your personal information directly from you, through your intermediary, broker or representative, from the Insurer, from regulators or statutory bodies, from fraud prevention agencies, from registered Credit Bureaux, and from other lawful third-party sources.

Use of  Your Personal Information

We may use, transfer and disclose your personal information for purposes including:

     •     Underwriting and assessing insurance risk;
     •     Issuing, administering and managing insurance policies;
     •     Processing and assessing claims;
     •     Detecting, preventing and investigating fraud, money laundering and other financial crime;
     •     Conducting risk modelling and portfolio management;
     •     Complying with legal, regulatory and reporting obligations;
     •     Auditing and record-keeping;
     •     Verifying identity and beneficial ownership;
     •     Managing complaints and dispute resolution;
     •     Monitoring and recording communications for quality assurance and evidentiary purposes;
     •     Improving our products, services and operational effectiveness;
     •     Transferring data outside the Republic of South Africa where appropriate safeguards are in place.

Where personal information is transferred cross-border, we will ensure that adequate safeguards are implemented as required by POPIA. Details of cross-border transfers may be provided upon reasonable request.

Special personal information, including biometric data, is processed only where a specific lawful ground under Section 27 of POPIA applies, including but not limited to: the data subject’s consent, the processing being necessary for the conclusion or performance of a contract, or compliance with a legal obligation.

Direct Marketing

We may contact you regarding products or services where you are an existing client and such communication relates to similar products, or where you have provided explicit consent to receive marketing communications. Marketing communications may be sent via email, SMS or telephone. Consent is captured at onboarding and may be withdrawn at any time by contacting us at enquiries@phishield.com or by following the unsubscribe link in any marketing communication.

You may opt out of receiving direct marketing communications at any time. We will not send electronic marketing communications where prohibited by law.

Disclosure of your Information

Your personal information may be disclosed to Bryte Insurance Company Limited, reinsurers, intermediaries or representatives, service providers and sub-contractors, fraud prevention agencies, regulators or supervisory authorities, law enforcement authorities, professional advisers, or any party where required by applicable law.

Where personal information is shared, we require recipients to implement appropriate confidentiality and security measures.

Data Security

We implement reasonable technical and organisational measures to protect personal information against loss, unauthorised access, unlawful processing and accidental disclosure.

While Phishield implements appropriate safeguards, no system is entirely secure. To the extent permitted by law, Phishield shall not be liable for losses arising from unauthorised access beyond its reasonable control, provided that such safeguards have been implemented.

Retention of Information

We retain personal information for:

     •     as long as necessary according to the applicable laws
     •     to fulfil the purpose for which it was collected
     •     in accordance with statutory retention requirements
     •     for the duration of any applicable limitation period
     •     for legitimate business or legal purposes.

Thereafter, information will be securely destroyed or de-identified.

In accordance with FAIS legislation, Phishield retains records of advice, intermediary services, and transactions for a minimum period of five (5) years. For details regarding the retention period of various record categories, refer to Phishield’s PAIA Manual available for download via www.phishield.com

Your Rights Under POPIA

You have the right to:

     •     Request confirmation of whether we hold personal information about you;
     •     Request access to your personal information;
     •     Request correction of inaccurate or incomplete information;
     •     Request deletion or restriction of processing where legally permissible;
     •     Object to processing on reasonable grounds;
     •     Withdraw consent where processing is based on consent;
     •     Lodge a complaint with the Information Regulator.
     •     Requests may be submitted to our Information Officer.

Formal objections must be submitted using FORM 1 (Objection to the Processing of Personal Information) available on the Information Regulator’s website. There is a 30 day response period for data subject requests.

PAIA

Requests for access to records may be made in accordance with our PAIA Manual available at https://www.phishield.com.

Where a request relates to records held on behalf of Bryte, requesters may be required to submit such request directly to Bryte in accordance with its PAIA Manual.

Complaints

If you believe Phishield has processed your personal information unlawfully, please contact complaints@phishield.com.

If you are not satisfied with our response, you may lodge a complaint with:
Information Regulator (South Africa)
Tel: 010 023 5200
Email: POPIAComplaints@inforegulator.org.za