POPIA Compliance

In terms of Section 1 of POPIA, the responsible party for the processing of your personal information is:

Cavitech AI (Pty) Ltd
Republic of South Africa

Information Officer: Ruan Baker
Email: privacy@cavitech-ai.com

The Information Officer is responsible for encouraging compliance with the conditions for the lawful processing of personal information, dealing with requests made to the responsible party, and working with the Information Regulator in relation to investigations and compliance.

We process personal information only when we have a lawful basis to do so under POPIA. The following conditions, set out in Section 11, govern our processing activities:

• Consent (Section 11(1)(a)): Where you have given us your voluntary, specific, and informed consent to process your personal information for a defined purpose — for example, when you create an account or upload dental X-rays for AI-assisted analysis.
• Contract (Section 11(1)(b)): Where processing is necessary to carry out actions for the conclusion or performance of a contract to which you are a party. This includes providing the Cavitech AI platform, processing subscription payments, and delivering the services you have requested.
• Legal obligation (Section 11(1)(c)): Where processing is necessary to comply with a legal obligation to which Cavitech AI is subject, such as tax record-keeping, responding to lawful court orders, or regulatory compliance requirements.
• Legitimate interest (Section 11(1)(f)): Where processing is necessary for the pursuit of our legitimate interests or those of a third party to whom the information is supplied, provided that such interest is not overridden by your rights. We rely on this basis for product improvement, security monitoring, and fraud prevention.

Special personal information (Section 32): Dental X-rays, clinical findings, and patient health data constitute special personal information as defined in Chapter 3, Part B of POPIA. We process this data only where processing is necessary for the provision of health services and is carried out by or under the responsibility of a healthcare professional who is subject to an obligation of confidentiality. All AI-generated findings are subject to clinical review and approval before inclusion in patient reports.

As a data subject, you have the following rights under POPIA. You may exercise any of these rights by contacting our Information Officer at privacy@cavitech-ai.com.

• Right to be notified (Section 18): You have the right to be notified that your personal information is being collected, or that it has been accessed or acquired by an unauthorised person. We will inform you of the purpose of collection, the categories of information collected, and the identity of any third-party recipients.
• Right to access (Section 23): You have the right to request confirmation of whether we hold personal information about you, and to request access to a record of that information. We will respond within a reasonable time and provide the information in a form that is generally understandable.
• Right to correction (Section 24): You have the right to request the correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully. We will correct or delete such information and notify any third parties who have received the information.
• Right to object (Section 11(3)): You have the right to object, on reasonable grounds relating to your particular situation, to the processing of your personal information. You may also object to the processing of your personal information for purposes of direct marketing by means of unsolicited electronic communications.
• Right not to be subject to automated decision-making (Section 71): You have the right not to be subject to a decision that is based solely on the automated processing of your personal information and that has a legal effect on you or significantly affects you. See Section 5 below for details on how we ensure human oversight.
• Right to complain (Section 74): You have the right to submit a complaint to the Information Regulator regarding an alleged infringement of any of the provisions of POPIA. See Section 6 below for the Regulator's contact details.
• Right to institute civil proceedings (Section 69): You have the right to institute civil proceedings regarding an alleged interference with the protection of your personal information. Proceedings may be brought before a court having jurisdiction.

We will respond to all data subject requests within a reasonable time, and no later than the timelines prescribed by POPIA. We may request proof of identity before actioning any request.

In accordance with Section 72 of POPIA, personal information may only be transferred to a recipient in a foreign country if adequate safeguards are in place. Cavitech AI uses the following internationally hosted service providers to deliver its platform:

• Convex: Real-time database and backend infrastructure. Data is stored in data centres that maintain industry-standard security certifications.
• Cloudflare: Content delivery, DDoS protection, and edge computing services. Cloudflare processes data in accordance with binding contractual obligations and applicable data protection standards.
• Railway: Application hosting and deployment infrastructure. Railway maintains appropriate technical and organisational security measures for the protection of personal information.

We ensure that all cross-border transfers comply with Section 72 by verifying that recipients are subject to laws, binding corporate rules, or contractual obligations that provide an adequate level of protection substantially similar to the conditions for the lawful processing of personal information under POPIA. We also implement appropriate technical safeguards, including encryption in transit and at rest, access controls, and regular security assessments.

In accordance with Section 71 of POPIA, no person may be subject to a decision which results in legal consequences for them, or which affects them to a substantial degree, that is based solely on the automated processing of personal information.

Cavitech AI uses artificial intelligence to analyse dental X-rays and generate clinical findings. However, our platform is designed with a mandatory human oversight mechanism: the finding approval workflow. All AI-generated findings are assigned a status of "pending" and must be individually reviewed, and then approved or declined, by a qualified dental practitioner before they are included in any clinical report or patient record.

This means that no clinical decision is made solely on the basis of automated processing. The AI serves as a decision-support tool, augmenting the dentist's clinical judgement rather than replacing it. Patients retain the right to request that any AI-assisted finding be reviewed by a human practitioner, and may object to automated processing at any time by contacting our Information Officer.

If you believe that your rights under POPIA have been infringed, you have the right to lodge a complaint with the Information Regulator of South Africa:

The Information Regulator (South Africa)
JD House, 27 Stiemens Street
Braamfontein, Johannesburg
2001

General enquiries: enquiries@inforegulator.org.za

We encourage you to contact our Information Officer first so that we may attempt to resolve your concern directly. However, this does not affect your right to lodge a complaint with the Information Regulator at any time.