Back to Home

Privacy Policy

Last updated: April 16, 2026


  1. INTRODUCTION

    1. This Privacy Policy governs the manner in which MammothX Proprietary Limited (registration number 2025/525827/07) (“the Company”, “we”, “us” or “our”) collects, uses, stores, processes, and protects Personal Information in accordance with the provisions of the Protection of Personal Information Act, 2013 (“POPIA”).

    2. This Privacy Policy applies to all Personal Information processed through the Website and forms part of the Company’s commitment to lawful, reasonable, and transparent processing.

  1. DEFINITIONS

    1. For purposes of this Privacy Policy:

      1. Data Subject” means the natural person to whom the Personal Information relates.

      2. Participating Data Sources (Data Sources)” means, not limited to, any healthcare provider, funder, pathology practice, radiology provider, hospital, clinic, pharmacy, administrator, managed care organisation, or other authorised entity that creates, holds, manages or makes health-related information available within the Mammoth ecosystem.

      3. “Personal Information” has the meaning ascribed to it in POPIA and includes, but is not limited to, identifiable information relating to an identifiable, living natural person. 

      4. “Special Personal Information” includes health information as defined in POPIA. 

      5. “Processing” means any operation concerning Personal Information, including collection, storage, dissemination, or destruction. 

      6. “Unified Care Record (UCR)” means a consolidated, longitudinal and informational view of health-related information compiled from one or more Data Sources. 

  1. NATURE OF THE SERVICE

    1. The Website provides a secure digital interface through which:

      1. The Patient may create and manage a personal profile; 

      2. The Patient may access their UCR compiled through lawful data matching processes; 

      3. The Patient remains the sole authorised user with access to their UCR; 

      4. The underlying healthcare providers retain custody and control of original records within their respective systems. 

    2. The Company facilitates secure, consent-based access to the UCR.

      1. The systems operated by Participating Data Sources that create and maintain clinical and other healthcare information supplied to the HIE shall remain the primary systems of record in respect of such information.

      2. Mammoth shall act as the system of record, within the context of the HIE, in respect of:

  • demographic information associated with the User, whether provided directly by the User or received from Participating Data Sources and normalised within the HIE; and 

  • health information that is self-reported or otherwise submitted by the User through the HIE, 

provided that such information is clearly identified and distinguished within the HIE.

  1. Notwithstanding the above, Participating Data Sources shall remain the systems of record for the demographic and clinical information maintained within their respective systems, and nothing in this Agreement shall be construed as transferring ownership or control of such underlying records to Mammoth.

  2. Mammoth shall not assume responsibility for the clinical creation, accuracy, completeness or maintenance of any information originating from Participating Data Sources, nor shall Mammoth be responsible for verifying the accuracy of any information submitted by the User.

  3. The Unified Care Record presented through the HIE constitutes a consolidated and informational view of data sourced from multiple systems of record and does not replace, supersede or assume control over the underlying systems of record maintained by Participating Data Sources.

  4. Thus, Mammoth acts primarily as an Operator in respect of Personal Information processed on behalf of Participating Data Sources, and as a Responsible Party in respect of demographic information and information self-reported by the User within the HIE.

  1. LAWFUL BASIS FOR PROCESSING

    1. The Company processes Personal Information in accordance with POPIA, including:

      1. Consent of the Data Subject; 

      2. Performance of a contract with the Data Subject; 

      3. Compliance with legal obligations

      4. Legitimate interests, where applicable and not overridden by the rights of the Data Subject. 

    2. Processing of Special Personal Information (including health data) is conducted strictly in accordance with applicable POPIA provisions, including where:

      1. The Data Subject has provided explicit consent

      2. Processing is necessary for the proper treatment and care of the Data Subject; 

      3. Processing is necessary for the management of healthcare systems and services. 

  1. INFORMATION WE COLLECT

    1. The Company may collect and process the following categories of Personal Information:

      1. Identity and Demographic Information

  • Full name, identity number, date of birth, gender; 

  • Contact details (email address, mobile number); 

  • Address information. 

  1. Health Information (Special Personal Information)

  • Medical history; 

  • Diagnoses and treatment records; 

  • Laboratory and radiology results; 

  • Medication records; 

  • Clinical notes provided by healthcare practitioners. 

  1. Technical Information

  • IP address; 

  • Browser type and version; 

  • Device information; 

  • Website usage data. 

  1. SOURCE OF INFORMATION

    1. Personal Information is obtained from:

      1. The Data Subject directly; 

      2. Participating healthcare providers and data sources; 

      3. Systems integrated into the HIE ecosystem; 

      4. Lawfully authorised third parties. 

    2. All data collection is conducted lawfully and with appropriate consent or legal justification.

  1. PURPOSE OF PROCESSING

    1. Personal Information is processed strictly for the following purposes:

      1. To create and maintain the Patient’s profile; 

      2. To compile and present the Patient’s Unified Care Record; 

      3. To enable secure, authenticated access to the UCR; 

      4. To ensure continuity and accuracy of healthcare information; 

      5. To improve the functionality, security, and performance of the Website; 

      6. To comply with applicable legal and regulatory requirements. 

  1. ACCESS CONTROL AND DATA SUBJECT RIGHTS

    1. Exclusive Patient Access

      1. Access to the UCR via the Website is primarily limited to the Data Subject, subject to any consent-based sharing or authorised access mechanisms implemented within the HIE. The Company implements robust authentication and access control measures to ensure that:

  • Only the Patient may access their UCR; 

  • No third party may access the UCR via the Website without the Patient’s explicit and separate consent through other authorised mechanisms; 

  • Access credentials are protected through secure authentication protocols. 

  1. Data Subject Rights

    1. In accordance with POPIA, the Data Subject has the right to:

  • Access their Personal Information; 

  • Request correction or deletion of inaccurate information; 

  • Object to processing under certain circumstances; 

  • Withdraw consent (subject to legal limitations); 

  • Lodge a complaint with the Information Regulator South Africa. 

  1. INFORMATION SHARING AND DISCLOSURE

    1. The Company does not sell Personal Information, and may de-identify the Personal Information for analysis to generate certain analytics and insights reports derived from aggregating User profile and health data, i.e., Insights Reports.

    2. Personal Information may be shared only:

      1. With participating healthcare providers, where necessary; 

      2. Where required by law or regulatory authorities; 

      3. With authorised operators who process information on behalf of the Company under strict confidentiality obligations; 

      4. With the Data Subject’s explicit consent. 

    3. All third-party processing is governed by written agreements in compliance with POPIA.

  1. DATA SECURITY

    1. The Company implements appropriate, reasonable technical and organisational measures to safeguard Personal Information, including:

      1. Encryption of data in transit and at rest; 

      2. Multi-factor authentication mechanisms; 

      3. Role-based access controls; 

      4. Continuous monitoring and security audits; 

      5. Incident response and breach notification procedures. 

    2. The Company complies with POPIA’s requirements regarding the integrity and confidentiality of Personal Information.

  1. DATA RETENTION

    1. Personal Information is retained only for as long as necessary to:

      1. Fulfil the purposes outlined in this Privacy Policy; 

      2. Comply with legal, regulatory, and healthcare obligations; 

      3. Resolve disputes and enforce agreements. 

    2. Thereafter, information will be securely deleted or de-identified.

  1. CROSS-BORDER DATA TRANSFERS

    1. Personal Information may be transferred outside South Africa only where:

      1. The recipient is subject to laws or agreements providing an adequate level of protection; or 

      2. The Data Subject has consented to such transfer; or 

      3. The transfer is necessary for the performance of a contract. 

  1. COOKIES AND TRACKING TECHNOLOGIES

    1. The Website uses cookies and similar technologies to:

      1. Enhance user experience; 

      2. Monitor Website performance; 

      3. Improve security and functionality. 

    2. Users may manage cookie preferences through their browser settings.

  1. BREACH NOTIFICATION

    1. In the event of a security compromise affecting Personal Information, the Company will:

      1. Notify the Data Subject and the Information Regulator where required; 

      2. Provide sufficient information to enable protective measures; 

      3. Take immediate steps to mitigate the impact. 

  1. CHILDREN’S INFORMATION

    1. The Company processes children’s Personal Information only:

      1. With the consent of a competent person (e.g., parent or guardian); or 

      2. Where otherwise permitted by law. 

  1. CHANGES TO THIS POLICY

The Company reserves the right to amend this Privacy Policy from time to time. Updated versions will be published on the Website and will take effect upon publication.

  1. CONTACT DETAILS

For queries, requests, or complaints regarding this Privacy Policy or Personal Information processing, please contact:

Information Officer
MammothX Proprietary Limited
Name: Kegomoditswe Magobe

Email: kego@mammoth.health
Address: 67 Roscommon Road, Parkview, Gauteng, 2193