underwriting.life

Privacy Policy

The Mantis Model (Pty) Ltd Effective 13 June 2026 Version 1.0

The Mantis Model (Pty) Ltd (registration number 2018/198006/07, VAT 4450291812), trading as underwriting.life ("we", "us" or "our"), operates a secure underwriting-intelligence platform used by life insurers, reinsurers and their authorised intermediaries (our "Clients") in South Africa. The platform helps a Client assess an insurance application by retrieving and combining identity, medical, pathology and financial-crime screening information about the individual applying for cover (the "Applicant" or "data subject").

This Policy explains how we collect, use, share, secure and retain personal information, and the rights you have. It is published in line with the Protection of Personal Information Act 4 of 2013 ("POPIA") and read together with our Manual under the Promotion of Access to Information Act 2 of 2000 ("PAIA").

1. Our role: responsible party and operator

POPIA distinguishes between a responsible party (which decides why and how personal information is processed) and an operator (which processes on behalf of, and on the instruction of, a responsible party). Depending on the activity, we act in both capacities.

We act as an operator when we process Applicant information on a Client's instruction to return an underwriting result for that Client's specific application. The Client is the responsible party for its underwriting decision and for the consent obtained from the Applicant.

We act as a responsible party in our own right when we decide which data sources to query, how to verify, structure, aggregate and present results, how long to retain records, and how to secure our platform. We hold our own contracts with the third-party data sources described below.

Where we act as an operator, we process personal information only with the Client's authorisation, treat it as confidential, and apply the safeguards described below, as required by sections 20 and 21 of POPIA.

2. Information Officer

We have registered an Information Officer with the Information Regulator (registration number 2026-019341).

Kurt Terblanche — Information Officer
11 Blackenfen Crescent, Bryanston, 2191
Email: admin@underwriting.life · Telephone: 083 441 4745

3. Whose information we process and what we collect

Insurance Applicants. We do not collect this information directly from the Applicant, and Applicants do not have accounts on the platform. We receive identifying details from the Client and use them to query the data sources below. Depending on the products selected, this may include:

Client users. Names, work email addresses, telephone numbers, role, authentication data (including two-factor authentication secrets), and audit logs of actions taken on the platform.

Website visitors. Limited technical data (such as IP address and basic usage logs) needed to keep the site secure and functioning.

We process the minimum information necessary for each purpose and do not use Applicant information for marketing.

4. Sources of information

Applicant information is sourced from the Client and from regulated third-party data providers we query on the Client's behalf:

We query a source only when the relevant product has been selected for a specific application and the consent conditions below are met.

5. Why we process personal information

We process personal information to: verify an Applicant's identity; retrieve and present medical, pathology and financial-crime screening information relevant to an insurance underwriting decision; produce underwriting-intelligence reports for the Client; bill Clients for checks performed; maintain the security, integrity and auditability of the platform; comply with our legal obligations; and operate and support Client accounts.

6. Lawful basis and consent

Underwriting relies on the Applicant's consent and the legitimate interests of the insurer in assessing risk under sections 11 and 27 of POPIA. Because medical and pathology information is special personal information concerning health (section 26 of POPIA), it is processed on the basis of the Applicant's consent and the authorisation in section 32 of POPIA permitting processing of health information by, or for, parties involved in insurance, subject to confidentiality obligations.

Consent is obtained by the Client from the Applicant as part of the insurance application. For medical and pathology queries, our Client maintains a signed consent authorisation that is attached to each request to the medical data source. We will not run a medical or pathology query for a Client that does not have the required consent authorisation on file. Clients warrant that they have obtained valid consent and the necessary authority before submitting an Applicant for screening.

If you are an Applicant and wish to understand or withdraw the consent you gave, please contact your insurer (our Client) in the first instance, as they are the responsible party for the application. You may also contact our Information Officer.

7. Sharing of personal information

We do not sell personal information and do not share it for third-party marketing.

8. Security safeguards

We maintain technical and organisational measures appropriate to the sensitivity of the information, as required by section 19 of POPIA: encryption in transit (TLS 1.2/1.3) and at rest; role-based access control on a least-privilege basis; mandatory two-factor authentication and a strong password policy for Client users; session timeouts and account-lockout controls; IP whitelisting and strict transport security on sensitive integrations; a tamper-evident audit log of access and processing activity; daily cost and volume caps; and segregation of production data. Before processing live Applicant data at scale, we subject the platform to independent security testing.

If a security compromise affecting personal information occurs, we will notify the Information Regulator and affected parties as required by section 22 of POPIA.

9. Data residency and cross-border transfers

The platform and its databases are hosted in South Africa, in Amazon Web Services' Cape Town (af-south-1) region, to support local data residency. We do not transfer personal information outside South Africa in the ordinary course of operating the service. Any future cross-border processing will only occur on a basis permitted by section 72 of POPIA, and we will update this Policy accordingly.

10. Retention and deletion

We retain personal information only as long as necessary to fulfil the purposes above, to meet record-keeping requirements applicable to insurance and financial-crime screening, and to defend or establish legal claims. Underwriting records and audit logs are retained for the periods required by law and by our Client agreements. When no longer required, information is deleted or de-identified securely. Applicant records are treated as immutable for audit integrity during their retention period and are then disposed of per our retention schedule.

11. Your rights as a data subject

Subject to POPIA, you have the right to: be notified that your information is collected or has been accessed in a compromise; request confirmation of and access to information we hold (via the PAIA process in our PAIA Manual); request correction or deletion of information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained; object on reasonable grounds to processing; not be subject to a decision based solely on automated profiling with legal or similarly significant effects; withdraw consent where processing is based on consent; and lodge a complaint with the Information Regulator.

Because we usually process Applicant information as an operator for an insurer, the most direct route for an Applicant to exercise these rights over an insurance application is through the insurer (our Client). We assist Clients in responding to such requests and action requests that fall to us as responsible party.

12. Children's information

We process information relating to a minor only where permitted under section 35 of POPIA, including with the consent of a competent person (such as a parent or guardian) obtained by the Client, or where otherwise authorised by law. We apply additional care to any such information.

13. Complaints

If you believe we have not handled your personal information in line with POPIA, please contact our Information Officer first so we can try to resolve the matter. You also have the right to complain directly to the Information Regulator:

Information Regulator (South Africa)
Woodmead North Office Park, 54 Maxwell Drive, Woodmead, Johannesburg, 2191 · P.O. Box 31533, Braamfontein, 2017
Email: POPIAComplaints@inforegulator.org.za · enquiries@inforegulator.org.za
Telephone: 010 023 5200 · Toll free: 0800 017 160

14. Changes to this Policy

We may update this Policy to reflect changes in our processing, our data sources, or the law. The current version and effective date appear at the top of this page. Material changes will be communicated to Clients.

15. How to contact us

The Mantis Model (Pty) Ltd — Information Officer, Kurt Terblanche
11 Blackenfen Crescent, Bryanston, 2191
Email: admin@underwriting.life · Telephone: 083 441 4745 · Web: underwriting.life