Privacy Policy

1. Who we are

Polly is an insurance administration platform operated by Polly (Pty) Ltd ("Polly", "we", "us", "our"), a company registered in the Republic of South Africa. Our platform is provided on a white-label basis to brokers, insurers, and managing general agents ("Clients"), who deploy it under their own brand to their policyholders and end users.

For the purposes of POPIA, Polly acts as a Responsible Party in respect of information collected through this marketing website (polly.global), and as an Operator in respect of personal information processed on behalf of our Clients within the platform.

Our Information Officer can be reached at the contact details set out in section 13.

2. Information we collect

2.1 Information you provide to us directly

When you submit the demo request form on this website, we collect:

• Full name
• Business email address
• Company name and role
• Lines of insurance you are interested in
• Any additional detail you include in your message

2.2 Information collected automatically

When you visit this website, we and our service providers may collect technical information automatically, including:

• IP address and approximate geographic location
• Browser type, version, and operating system
• Pages visited, time spent, and referring URL
• Device identifiers

2.3 hCaptcha bot-detection data

Our contact form is protected by hCaptcha, a bot-detection service operated by Intuition Machines, Inc. ("IMI"). When you interact with the contact form, hCaptcha may collect information about your browser, device, mouse movements, and interaction patterns to determine whether the submission originates from a human user. This data is transmitted to and processed by IMI, acting as a separate data controller, in accordance with their Privacy Policy and Terms of Service. We process this data on the basis of our legitimate interest in preventing spam and fraudulent submissions.

2.4 Platform data processed on behalf of Clients

When Clients deploy the Polly platform, it processes personal information relating to their policyholders and insured parties - including names, contact details, identity numbers, financial information, and claims-related data. This information is processed strictly under the instruction of the relevant Client and subject to the data processing agreement in place with that Client. If you are an end user of a Polly-powered portal, your primary relationship for data privacy purposes is with the Client whose brand the portal carries.

3. How we use your information

We use the information collected through this website to:

• Respond to your demo request and assess whether Polly is a suitable fit for your business
• Schedule and conduct product demonstrations
• Send you information about Polly's products and services where you have consented or where we have a legitimate interest in doing so
• Analyse website traffic and improve the performance and content of this site
• Comply with our legal and regulatory obligations
• Detect and prevent fraud and misuse

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes.

4. Legal basis for processing

Under POPIA, we process personal information only when a valid condition for processing exists. The bases we rely on are:

• Consent - where you have provided explicit consent, such as opting in to marketing communications
• Contractual necessity - where processing is required to fulfil or enter into a contract with you or your organisation
• Legitimate interests - where our legitimate business interests in operating and improving the platform are not overridden by your rights and interests
• Legal obligation - where processing is necessary to comply with a legal or regulatory obligation

5. Sharing of information

We may share your personal information with:

• Service providers acting as Operators on our behalf, including hosting providers, email and CRM platforms, and analytics services - each bound by appropriate data processing agreements
• Intuition Machines, Inc. (hCaptcha), acting as an independent data controller, which receives interaction data from our contact form solely for bot-detection purposes as described in section 2.3
• Professional advisers including lawyers, auditors, and insurers, where necessary
• Regulators and law enforcement where required by applicable law or court order
• Prospective acquirers in the context of a merger, acquisition, or sale of assets, subject to confidentiality obligations

We do not share personal information with third parties for their independent marketing purposes without your consent.

6. Data retention

We retain personal information only for as long as is necessary for the purposes for which it was collected, or as required by law.

• Demo enquiries: Contact details and correspondence are retained for up to 24 months from the date of last meaningful contact, unless a business relationship is established
• Client platform data: Retained for the duration of the Client agreement and for the period required by insurance regulatory obligations thereafter - typically five to seven years depending on the jurisdiction and line of business
• Website analytics data: Aggregated analytics are retained indefinitely; IP-level data is retained for up to 12 months

When retention periods expire, data is securely deleted or anonymised.

7. Security

We implement appropriate technical and organisational measures to protect personal information against loss, unauthorised access, disclosure, alteration, or destruction. These include:

• Encryption of data in transit (TLS) and at rest
• Role-based access controls limiting staff access to personal information on a need-to-know basis
• Regular security assessments and penetration testing
• Audit logging of all access to and changes within the platform
• Incident response procedures, including breach notification processes compliant with POPIA's 72-hour reporting requirement

While we take reasonable precautions, no method of transmission over the internet is completely secure. We encourage you to report any suspected security issues to our Information Officer promptly.

8. Your rights

As a data subject under POPIA and applicable law, you have the following rights:

• Right of access - to request a copy of the personal information we hold about you
• Right to correction - to request correction of inaccurate or incomplete information
• Right to deletion - to request erasure of your information where we no longer have a lawful basis to retain it
• Right to object - to object to processing based on legitimate interests, and to direct marketing at any time
• Right to restrict processing - in certain circumstances
• Right to complain - to lodge a complaint with the Information Regulator (South Africa) at inforegulator.org.za or the relevant supervisory authority in your jurisdiction

To exercise any of these rights, contact us using the details in section 13. We will respond within 30 days. We may require verification of your identity before processing a request.

9. Cross-border transfers

The Polly platform is designed for global deployment. Personal information may be transferred to and processed in countries outside the Republic of South Africa. Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with section 72 of POPIA, including contractual protections equivalent to those required under South African law, or reliance on jurisdictions that the Information Regulator has determined to provide an adequate level of protection.

10. Cookies & Analytics

This website does not set its own cookies. It stores a single preference in your browser's local storage to remember your selected theme (light or dark mode) for future visits. However, hCaptcha (see section 2.3) may set cookies or use browser storage as part of its bot-detection process when you interact with the contact form. These are set by Intuition Machines, Inc. under their own cookie policy and are necessary for security purposes.

We use Umami for website analytics. Umami is an open-source, privacy-focused analytics tool that collects only aggregated, anonymous metrics - pages visited, referrer, browser type, and country-level location derived from your IP address. Your IP address is never stored. No personal data is collected by Umami, no analytics cookies are set, and the data cannot be used to identify you as an individual.

Because Umami does not use cookies and the only browser storage we use is a functional theme-preference setting, this analytics setup does not require your consent under POPIA or equivalent privacy legislation.

11. Children

This website and the Polly platform are directed at business users and are not intended for use by persons under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us immediately so we can delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify Clients directly. Your continued use of this website after such changes constitutes acceptance of the updated policy.

13. Contact us

For privacy-related queries, to exercise your rights, or to report a concern, please contact our Information Officer:

• Email: privacy@polly.global
• Post: Information Officer, Polly (Pty) Ltd, South Africa

To lodge a complaint with the South African Information Regulator: inforegulator.org.za