Privacy Policy

Your Data Protection and Privacy Matters

This Privacy Policy explains how Alula Technologies ("we", "us", "our") collects, uses, discloses, and protects Personal Information when providing our Software-as-a-Service (SaaS) platform and related services.

We are committed to processing Personal Information lawfully, fairly, and transparently, in compliance with:

The Protection of Personal Information Act 4 of 2013 (POPIA) (South Africa); and
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Policy applies to policyholders, insured persons, beneficiaries, applicants, intermediaries, employees, contractors, and authorised users whose Personal Information is processed through our platform.

Our Principles

At Alula, we are committed to empowering you with a complete view of all your personal identifiable information and protected health information relating to the products you have used.

Control. You are in control of the personal information you provide to us, which includes sharing, use, and retention.
Access. We empower you with access to your data as provided so that you can take charge of your personal identifiable information and protected health information.
Transparency. We are committed to transparent collection, storage, sharing, and processing of your personal identifiable information and protected health information.
Protection. The privacy and protection of your personal information is of the utmost importance to us. We are committed to strong security measures and providing you with information regarding collection, processing, and storage of your personal information.

Roles and Responsibilities

For purposes of data protection legislation:

Clients (Life Insurers) are typically the Responsible Party (POPIA) / Data Controller (UK GDPR).
Alula Technologies acts as an Operator (POPIA) / Data Processor, processing Personal Information on documented instructions from our clients.

Where we process Personal Information for our own operational purposes (e.g. account management, security, compliance), we act as a Responsible Party / Controller.

Categories of Personal Information

Depending on the services used, we may process the following categories of Personal Information:

Identification and Contact Information

Full name, identity number, or passport number
Date of birth, gender
Contact details (email address, telephone number, postal address)

Policy and Insurance Information

Policy numbers and product details
Underwriting and risk assessment data
Claims-related information
Beneficiary information

Special Personal Information / Special Category Data

Where permitted by law and instructed by our clients, this may include:

Health and medical information
Biometric or wellness-related data
Lifestyle or risk-related indicators relevant to life insurance underwriting

Technical and Usage Data

User credentials and access logs
IP address, device information, browser type
Audit logs, platform usage metrics

Purpose of Processing

Personal Information is processed for the following purposes:

Provision, operation, and maintenance of the SaaS platform
Policy administration, underwriting, and claims support
Identity verification and fraud prevention
Regulatory compliance (including insurance, data protection, and financial services laws)
Information security, audit logging, and system monitoring
Client support, service communications, and incident management

We do not process Personal Information for direct marketing unless explicitly instructed and lawfully authorised by our clients.

Lawful Basis for Processing

Processing is carried out in accordance with applicable lawful bases, including:

POPIA	UK GDPR
Processing necessary to perform a contract Compliance with legal or regulatory obligations Legitimate interests of the Responsible Party or data subject Consent, where required (particularly for Special Personal Information)	Article 6(1)(b): Performance of a contract Article 6(1)(c): Legal obligation Article 6(1)(f): Legitimate interests Article 9(2)(a), (g), or (h): Processing of Special Category Data, where applicable

We may disclose Personal Information only where necessary and lawful, including to:

Authorised employees and contractors bound by confidentiality obligations
Sub-processors providing hosting, security, analytics, or support services
Regulators, courts, or law enforcement authorities where legally required

All sub-processors are subject to appropriate data protection agreements ensuring confidentiality, security, and compliance with POPIA and UK GDPR.

Cross-Border Transfers

Where Personal Information is transferred outside South Africa or the United Kingdom, we ensure that:

The recipient is subject to laws, binding corporate rules, or contractual safeguards providing an adequate level of protection; and
Appropriate safeguards are implemented, including Standard Contractual Clauses (SCCs) or equivalent mechanisms.

Information Security Measures

We implement appropriate technical and organisational measures to protect Personal Information, including:

Encryption of data in transit and at rest
Role-based access controls and least-privilege principles
Audit logging and monitoring
Secure development and testing practices
Incident and breach response procedures aligned to regulatory requirements

Data Retention

Personal Information is retained only for as long as necessary to fulfil the purposes for which it was collected unless a longer retention period is required or permitted by law. Retention periods are aligned with insurance, financial, and regulatory obligations.

Data Subject Rights

Data subjects have the following rights, subject to applicable legal limitations:

POPIA Rights	UK GDPR Rights
Right to access and correct Personal Information Right to object to processing Right to lodge a complaint with the Information Regulator	Right of access Right to rectification Right to erasure (where applicable) Right to restrict processing Right to data portability Right to object Right not to be subject to automated decision-making without safeguards

Requests must be submitted via our clients or directly to us where applicable at dpo@alulatechnologies.com.

Automated Decision-Making and Profiling

Our platform may support automated processing and profiling for underwriting, risk scoring, or fraud detection, strictly on documented client instructions. Appropriate safeguards, transparency measures, and human oversight are applied where required by law.

Data Breach Management

We maintain incident response procedures to identify, investigate, and manage Personal Information breaches. Where required, we will notify clients without undue delay to enable compliance with regulatory notification obligations under POPIA and UK GDPR.

Cookies and Online Tracking

Where applicable, cookies and similar technologies are used for platform functionality and security. Detailed information is provided in our separate Cookie Policy.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, regulatory, or operational changes. Updated versions will be made available through our platform or website.

Contact details

For privacy-related queries, requests, or complaints, please contact:

Full name of legal entity: Alula Technologies Limited
Postal address: 33 Great Portland St, London, W1W QG
Email address: dpo@alulatechnologies.com or info@alulatechnologies.com

Concerns or Questions

Your feedback is valuable to us. If you have any questions or suggestions on how we can enhance our privacy policy regarding personal information, please feel free to email us at dpo@alulatechnologies.com. We are here to address any concerns you may have and continuously improve our practices to better protect your data.

Last updated: 28 January 2026