Privacy Policy

1. HEPSTAR’S PRIVACY POLICY

Hepstar recognises that the protection of the User’s privacy is of utmost importance and that it has a duty to ensure the secure processing of Personal Data while providing the Services. This Policy governs Hepstar’s collection, disclosure, storage, transfer, use, recovery and destruction of Personal Data collected from Users who are citizens or residents of South Africa while providing the Services, including:

  • Why and how it is processed.
  • What kind of Personal Data is processed.
  • With whom we share Personal Data.
  • Rights of Data Subjects to access, update and request deletion of their Personal Data.

    This Policy does not apply to Third Party Websites, whether or not the User is redirected from or to such websites during the use of the Websites. These Third-Party Websites will be subject to their respective privacy policies and/or statements. This policy was last updated on 1 March 2023.

2. THE USER’S AGREEMENT WITH HEPSTAR

It is important to read this Policy which is supplementary to any other privacy notices Hepstar may provide from time to time so that the User is aware of how we process the User’s Persona Data.

By using the Services defined herein, the User acknowledges and agrees to the processing of Personal Data in accordance with this Policy. If the User does not agree with the aforementioned statement, please refrain from using the Services. This Policy may be updated from time to time and made available on the Websites without notice to the User.

3. PROCESSING OF THIRD-PARTY PERSONAL DATA PROVIDED BY THE USER

Due to the nature of the Services being provided, the User may provide Personal Data of other individuals when purchasing Products through the Websites or Distributor Websites on behalf of or to the benefit of such individuals, which results in Hepstar processing Personal Data of such individuals. The User warrants that it is authorised to provide data on behalf of such individuals and the contents of this Policy shall extend to such individuals.

4. PROCESSING OF PERSONAL DATA OF MINORS (UNDER THE AGE OF 18)

The User must be 18 years or older to use the Websites. The Websites contain certain controls to identify Users that are not of a suitable age, but unintended processing of Personal Data may occur if this warning is not observed.

Hepstar may process Personal Data of minors if such data is provided by a User that is their parental or legal guardian and the contents of this Policy shall extend to such minors where applicable.

5. DEFINITIONS

The following terms and phrases shall have the meaning ascribed to them hereunder wherever they appear in this Policy. In the event the definitions conflict with Data Laws, the definitions of the Data Laws will apply.

Data Breach means an event (or chain of events) that compromises (or is likely to compromise) the confidentiality, integrity or availability of Personal Data.

Data Controller means a person or entity that determines the purposes for which and the means by which Personal Data is processed.

Data Laws means any laws, regulations, conventions or other codifications that govern the processing of Personal Data of the User, including the Protection of Personal Information Act, 4 of 2013 (“POPIA”) and the General Code of Conduct for Authorised Financial Services Providers and Representatives (“GCOC”) published under section 15 of the Financial Advisory and Intermediary Services Act, 37 of 2002 (“FAIS Act”).

Data Processor means a person or entity that processes Personal Data on behalf of the Data Controller.

Data Subject means any person in respect of whom Personal Data is collected, held or processed by Hepstar, including the User and persons in respect of whom the User provides Personal Data.

Distributor means a third party that –

  • is indicated as a distributor partner of Hepstar on our Websites;
  • is the owner of a Third-Party Website that presents, markets or makes the Products available through the use of the Services.

Distributor Representatives means employees, agents or other representatives of Distributors.

Distributor Website means a website owned and/or operated by a Distributor.

Hepstar/we/us/our means Hepstar Financial Services (Pty) Ltd, registration number 2013/139291/07 situated at 8th Floor, Tarquin House, 81 Loop Street, Cape Town 8001, South Africa.

Hepstar Representatives means employees, agents or other representatives of Hepstar.

Personal Data means information that can be used to identify individual Data Subjects, including, without limitation, identification or passport number, email address, physical address, telephone number, information relating to health, criminal behaviour and views of or about a Data Subject.

Process or Processing means the collection, receipt, recording, organisation, collation, analysis, storage, updating, modification or destruction of Personal Data.

Product means any product or service product supplied by a Supplier that is presented, marketed or made available through the Services.

Services means the hosting, marketing, promotion, facilitation, distribution or sale in of the Products through the Websites or Distributor Websites and/or the provision of services in relation thereto.

Supplier means a third party indicated as –

  • a supplier partner of Hepstar on our Websites; or
  • the supplier of a particular product or service product made available through the Services.

Supplier Representatives means employees, agents or other representatives of a Supplier.

Technical Service Providers means third-party providers of technical services utilised by Hepstar during the provision of the Services, including without limitation, cloud storage, messaging and analytical services.

Third Party Website means a website owned and/or operated by a third party.

User means a person that utilises the Services by means of the Websites or Distributor Websites.

Websites means the domains owned and operated by Hepstar, including without limitation https://hepstar.co.za, https://whitelabel.gateway.insure and https://www.hepstar.com, including any extensions of same accessible through a Distributor.

6. WHO IS RESPONSIBLE FOR PERSONAL DATA OF THE USER

Hepstar is a Data Controller or joint Data Controller in relation to the User’s use of the Websites or the User’s purchase of Products offered through the Websites. Hepstar therefore determines the purpose for which the User’s Personal Data is processed. Hepstar is a Data Processor in relation to the User’s use of Distributor Websites where it does not result in a purchase through the (Hepstar) Websites.

Distributors are generally considered joint Data Controllers together with the Suppliers in relation to the User’s purchase of Products through Distributor Websites.

Suppliers of products are generally considered joint Data Controllers in relation to the purchase of Products through the Websites or Distributor Websites as they determine the purpose for which the User’s Personal Data is processed.

Should you have any questions related to the processing of your Personal Data, please reach out to us at privacy@hepstar.com

7. PERSONAL DATA WE COLLECT ABOUT THE USER

The Personal Data Hepstar obtains from the User may depend on the manner in which Hepstar obtains it, its source, the Products purchased, as well the manner in which the User interacts with the Websites or Distributor Websites. The different types of data we obtain or receive from the User and process can be categorised as follows:

Identification Data: First name, last name, gender, nationality or residency, residential address, identity number, passport number, title and date of birth / age.

Contact Data: Email address and telephone number.

Financial Data: Bank account details and payment card details.

Transaction Data: Detail about the User’s travel itinerary, the Products selected and the date of the purchase.

Technical Data: Detail about the device used to access the Websites, including browser name, mobile phone make and model and operating system

Analytical Data: Detail about the use of the Websites, including the selections made, the pages visited, and the time spent on the respective pages.

Claims Data: Information submitted in support of a claim, including photo or video evidence.

Messaging Data: Email and electronic messages or non-electronic communications sent to Hepstar.

Marketing Data: Consent provided or not-provided in relation to marketing communications.

8. HOW HEPSTAR OBTAINS PERSONAL DATA OF THE USER

Hepstar obtains data in different ways while providing the Services:

User interactions directly with Hepstar

  • Data provided by the User and/or collected by Hepstar when the User visits the Websites, including data the User inputs in data fields, selections made, or documents uploaded by the User via the Websites.
  • Data provided by the User and/or collected by Hepstar over the phone, in email correspondence or post.

User interactions with Distributor Websites

  • Data provided by the User and collected by Hepstar when visiting a Distributor Website and electing to purchase a Product, including data the User inputs in data fields and selections made by the User via the Distributor Websites.
  • Data provided by the User and collected by Hepstar when visiting a Distributor Website, including data the User inputs in data fields and selections made by the User via the Distributor Websites, where the User is redirected to the Websites either from the Distributor Website or from a Distributor’s email correspondence.

Website Cookies
Hepstar collects data automatically when the User visits the Websites through the use of Cookies. Cookies are used to enable necessary functions of the Websites, enable additional features which enhance the usability and efficiency of the Websites or enable Hepstar to gain a better understanding of its user base in general through the analysis of the User’s activity to improve user experience of the Websites.

For more information of cookies and how Hepstar uses them, please see Hepstar’s Cookie Policy.

9. DIRECT AND THIRD PARTY MARKETING

The User’s explicit consent will be obtained should Hepstar, Distributors, Suppliers or other third parties wish to send the User direct marketing communications via email, text messaging or other means following use of the Websites and the User has the right to withdraw such consent at any time by following the instructions in such communications or by contacting Hepstar at privacy@hepstar.com or by contacting the relevant publisher of such communications through their appropriate channels.

10. THE DATA WE DO NOT COLLECT ABOUT THE USER

Hepstar does not collect the following Data from the User:

Special Data: Religious, philosophical and political views or beliefs; trade union membership; sexual orientation or sex life; criminal convictions or offences; and health, genetic or biometric data.

11. WHAT THE USER’S PERSONAL DATA IS USED FOR

Hepstar is required to process the User’s Personal Data to meet its legitimate business interests or to comply with legal or fiscal obligations arising from the provision of the Services. This includes the processing of Personal Data for purposes of:

  • Quoting the price of a Product through the Websites or Distributor Websites;
  • Completing the purchase of a Product by the User through the Websites or Distributor Websites and to conclude the associated contract between the User and Hepstar or the relevant Supplier;
  • Providing the User with proof of a Product purchased through the Websites or Distributor Websites, including an invoice, policy schedule, certificate, proof of membership, application access credentials or otherwise;
  • Recording the purchase of a Product by a User in Hepstar and the Supplier’s respective systems in order to provide the benefits and/or services purchased, as well as administrative functions in relation thereto;
  • Communicating with the User in respect of Products purchased;
  • Preventing and detecting fraud;
  • Complying with applicable laws and regulations;
  • Analysing browsing behaviour on the Websites;
  • Communicating with subscribers to Hepstar’s newsletter or to invite the User to participate in market research or surveys.

Should Hepstar be required to use the User’s Personal data for another purpose, the User will notified of the purpose and the grounds for it.

12. ACCESS TO AND DISCLOSURE OF PERSONAL DATA

Hepstar is required to share the User’s Personal Data with the below mentioned third parties in order to give effect to the legitimate purposes for processing as set out in this Policy. Hepstar and third parties are bound by contractual obligations to ensure Personal Data is processed in a secure manner through the application of administrative, operational and technical security measures, that Personal Data it is kept confidential and that Personal Data is only used for the purposes for which it is disclosed.

Hepstar Representatives, Suppliers and Supplier Representatives, Distributors and Distributor Representatives:
Hepstar Representatives, Supplier Representatives and Distributor Representatives that are required to have such access to provide customer service, reporting, IT administration, reporting and/or benefits and services in relation to Products purchased by the User.

Technical and Payment Service Providers:
Technical Service Providers tasked with cloud storage and computing capacity, messaging and analytical services as utilised by Hepstar for the performance of the Services, including:

  • Amazon Web Services (Cloud Hosting)
  • The Rocket Science Group LLC d/b/a Mailchimp (Emailing service)
  • Credit and debit card companies (Payment processing)

Professional Services:
Hepstar’s professional advisers, auditors and accounting services bound by a duty of confidentiality if and where necessary to do so to meet reporting obligations associated with such services.

Regulatory Authorities:
Regulatory authorities and their representatives, including those tasked with regulating data processing, Products, accounting and tax

13. DATA SECURITY

Hepstar maintains appropriate physical, technical, operational and administrative security measures to prevent the User’s Personal Data from being lost, destroyed, corrupted or adapted, as well as accessed by unauthorised third parties. This includes industry standard measures to ensure:

  • Encryption during processing, transmission and storage of Personal Data;
  • Protection against, identification of and response to Data Breach;
  • Restriction of access on a need to know basis;
  • Privacy of credit card information in compliance with PCI DSS.

14. RETENTION OF PERSONAL DATA

Retention in identifiable form
Hepstar only retains the User’s Personal Data for as long as is necessary to fulfil the purposes for which it is processed, taking the following factors into consideration:

  • Nature and sensitivity of the Personal Data;
  • Risk of harm in the event of a Data Breach;
  • Alternative means to fulfil the purposes;
  • Extension of time required for meeting accounting, reporting or legal requirements of Hepstar or its Suppliers.

Retention in pseudonymised or anonymised form
Hepstar may elect to retain data accompanying Personal Data of the User arising from the same transaction indefinitely in an pseudonymised or anonymised form for statistical and analytical purposes without notifying the User.

15. INTERNATIONAL TRANSFER OF PERSONAL DATA

During the course of providing the Services, the User’s Personal Data will be transferred outside the borders of South Africa in the following instances:

  • Transfer to Hepstar’s primary cloud storage facilities in Dublin, Republic of Ireland;
  • Transfer to Hepstar’s emailing service in the United States;
  • Transfer to foreign Suppliers (where applicable).

The User understands and consents to the abovementioned transfer and the legitimate purposes for which it is transferred.

16. INACCURATE PERSONAL DATA OR FAILURE TO PROVIDE PERSONAL DATA

The User’s failure to provide Personal Data where it is required to perform the Services or to meet legal obligations will result in such Services being rendered unavailable or null and void. Hepstar and/or its Suppliers reserve the right to terminate the Services or cancel a Product purchased (as the case may be) should a transaction nonetheless be completed if the User has failed to provide requisite Personal Data or has provided false or inaccurate Personal Data.

17. USER’S LEGAL RIGHTS

The User shall have the following rights afforded by the Data Laws and/or Hepstar in respect of the User’s Personal Data, which can be exercised by contacting Hepstar at privacy@hepstar.com

Right to request access to the User’s Personal Data
The User may request a copy of the Personal Data held by Hepstar and to verify the legitimacy of the processing activities.

Right to request correction of the User’s Personal Data
The User may request to have Personal Data held by Hepstar corrected in the event is incomplete or inaccurate.

Right to request erasure of the User’s Personal Data
The User may request Personal Data held by Hepstar to be deleted or otherwise removed where:

  • there is no legitimate reason to continue processing it;
  • the User has objected to processing in accordance with the User’s right to do so;
  • Hepstar has processed the Personal Data unlawfully;
  • Hepstar is required to erase Personal Data in compliance with Data Laws or other applicable laws.

The abovementioned right is may be restricted by legal and compliance obligations of Hepstar requiring it to retain the Personal Data of the User, which the User shall be notified of if applicable.

Right to object to processing of the User’s Personal Data
The User may object to processing of Personal Data by Hepstar where:

  • processing is for direct marketing purposes;
  • processing impacts the User’s fundamental rights and freedoms in the User’s opinion.

The abovementioned right may be restricted if Hepstar has legitimate grounds for processing the Personal Data.

Right to request restriction of processing of the User’s Personal Data
The User may request Hepstar to suspend processing of Personal Data held by Hepstar where the User:

  • wants Hepstar to establish the correctness of the Personal Data;
  • deems the processing unlawful;
  • wants to establish, exercise or defend a legal claim;
  • has exercised the right to object to processing, but such right is pending Hepstar’s verification whether it may nonetheless proceed due to it having legitimate grounds which overrule said right

Right to request the transfer of the User’s Personal Data to the User or to a third party
The User may request Hepstar to provide the User’s Personal Data to the User or a third party nominated by the User in a legible and machine-readable format.

The abovementioned right may be limited to Personal Data which was provided through the Websites or a Distributor Website by the User (i.e. online).

Right to withdraw consent at any time
The User may withdraw its consent to Hepstar processing the User’s Personal Data where such processing relies on the explicit consent of the User.

The abovementioned right shall not affect processing of Personal Data conducted prior to consent being withdrawn.

18. REQUIREMENTS, FEES AND RESPONSE TIME FOR USER REQUESTS

The User may be required to provide information to assist Hepstar in verifying the identity and rights of the User. If need be, Hepstar may contact the User for additional information in order to expedite the response.

The User is not required to pay a fee to exercise any of the User’s rights, provided that Hepstar reserves the right to charge a reasonable fee or refuse to oblige in the event the User’s request is deemed irrational or excessive. Hepstar aims to respond to all reasonable requests within 30 days.

19. DATA PROTECTION OFFICER

Hepstar has appointed a data protection officer / information security officer responsible for upholding and addressing queries related to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact the data protection officer at privacy@hepstar.com

20. COMPLAINTS

The User has the right to lodge a complaint at any time with the relevant supervisory authority; however; Hepstar would greatly appreciate the opportunity to address the User’s concerns before the User decides to do so.

RESIDENTS AND CITIZENS OF THE EUROPEAN UNION, UNITED KINGDOM, LICHTENSTEIN, NORWAY, ICELAND & OTHER

Click here to view our Privacy Policy.

COOKIE POLICY

Click here to view our Cookie Policy.

General Enquiries

info@hepstar.com

Claims

086 144 4548

claims@hepstar.co.za

Emergency Services

+27 11 991 8731

+27 83 676 0411

assist@europassistance.co.za

©2025 HEPSTAR. All Rights Reserved - Hepstar Financial Services (Pty) Ltd is an authorised financial services provider (FSP 45097)