BrightRock's Privacy Policy
At BrightRock, we respect your right to privacy, and value your trust. We'll always do our best to protect your information and protect your interests. In this policy, we tell you how we collect, use, disclose, retain, and protect your personal information. This is required by the Protection of Personal Information Act (POPIA) and other relevant laws and regulations. Our privacy policy applies to any BrightRock website, text message such as an SMS and WhatsApp, email, application, form, document, product, or service that refers to this privacy policy. It also supplements any other privacy clauses that deal with how BrightRock processes personal information.
We'll keep your information safe
BrightRock has implemented and maintains appropriate security policies and controls for all users. By using our website, you agree to be bound by our terms.
We'll protect the information collected while you are using our website
When you use our website, information about you is transmitted electronically. We respect your privacy and won't share your information with third parties without your consent. We'll do our best to protect your information, but we can't guarantee the security of any information you transmit to us online. You do so at your own risk, and we aren't liable for any damage you may suffer. For more information on how to stay safe online, click here: Don't fall victim to phishing attempts.
We use your information to make our site better
We use the information we collect about you to communicate with you. We also use it to:
Improve our service;
Monitor the usage and performance of our website.
This information is aggregated, which means no one will be able to identify you or your details. However, if you tell us not to use your personal information, we won't use it.
We receive information about your use of our site
We may use technology to gather information about how you use our website, including details of your operating system, browser version, domain name, and IP address. Your IP address is a string of numbers that tells us which server you are using – it does not identify you. This information is sometimes called 'clickstream data', and we use cookies to collect some of this information.
Take care when following links to our site
Where other parties have links to the BrightRock website, these websites' administrators or owners may be able to collect your information when you click on these links. Please note that we don't control the third‑party websites or their use of your information, and we aren't liable for their use of your information.
Don't share your login details
Some areas of our website require financial advisers to register and log in with a username and password. We comply with legislation and use sophisticated encryption and security software to protect these areas of the site. You must keep your login details confidential to protect the confidential information and electronic transactions.
How we process your information when you apply for a policy or service from us
BrightRock needs personal information relating to both individuals and juristic people (legal entities, such as businesses or trusts) to carry out our business and organisational functions. The people or entities whose information we collect are referred to as data subjects.
BrightRock determines the manner in which this information is processed and the purpose for which it is processed. POPIA defines personal information as "information which relates to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person". This includes, but is not limited to, your name, sex, gender, address, contact details, identity number and medical or health information. This policy applies to the processing of personal information throughout the information life cycle, from the point of first collection of personal information until the time that the information is destroyed.
As such, BrightRock is a responsible party for the purposes of POPIA and will ensure that the personal information that we collect of any data subject is:
Processed lawfully, fairly, and transparently. This includes providing data subjects with appropriate information when collecting their information, in the form of privacy or data collection notices. BrightRock must also have a legal basis (for example, the data subject's consent) to process personal information;
Processed only for the purposes for which it was collected;
Not processed for a secondary purpose, unless that processing is compatible with the original purpose;
Adequate, relevant, and not excessive for the purpose for which it was collected;
Accurate and kept up to date;
Not be kept for longer than necessary. Once the purpose for which the personal information was initially collected and processed no longer applies or becomes obsolete, and there is no legitimate reason for retention of such personal information, it will be deleted, destroyed or de‑identified;
Processed in accordance with integrity and confidentiality principles. This includes physical and organisational measures to ensure that personal information, in both physical and electronic form, is subject to an appropriate level of security when stored, used, and communicated by BrightRock. The purpose of these security measures is to protect the data against access and acquisition by unauthorised people and accidental loss, destruction, or damage;
Processed in line with the rights of data subjects, where applicable. We may retain certain information for longer periods for proof, statistical, historical or research purposes.
Direct marketing
BrightRock does not engage in unsolicited direct marketing. All interactions with our clients occur with consent and are aligned with regulatory requirements.
How we work with trusted third parties
BrightRock sometimes uses trusted third parties – such as service providers, suppliers, and financial advisers – to help us deliver our services. When we do, we ensure they handle your personal information responsibly and securely.
We have agreements in place with all authorised third parties (called "operators") that require them to:
Protect your personal information using appropriate security measures;
Treat your information as confidential, and only use it as needed to perform their duties;
Notify BrightRock immediately if there's any suspected or actual data breach;
Only act on BrightRock's instructions when processing your information;
Undergo due diligence and regular reviews to confirm their compliance with our standards.
We won't give your personal information to any third party unless:
We ask you and you consent to our doing so;
We're required to share it by law;
We're ordered by a regulatory authority.
These measures help ensure your information is always handled in line with POPIA and our internal policies.
Transferring your personal information outside of South Africa
If BrightRock needs to transfer your personal information to countries outside South Africa. We will only do so if:
The destination country has data protection laws similar to POPIA;
You have given your consent;
The transfer is necessary to carry out a contract with you or on your behalf;
The transfer is in your best interest, and getting your consent is not practical but would likely be given; or
There are binding agreements in place to ensure your information remains protected.
Your privacy remains a top priority, no matter where your information is processed.
Your rights when it comes to how we collect and process personal information
All data subjects have the following rights:
We must notify you, as a data subject, that your personal information is being collected by BrightRock;
Should BrightRock become aware of, or suspect, any non‑compliance with the terms of this policy, we are required to investigate, assess the risk and impact and report this to the Information Regulator and/or affected data subjects, where necessary;
You have the right to know whether BrightRock holds personal information about you, and to access that information. Any request for information must be handled in line with the provisions of this privacy policy and BrightRock's PAIA manual;
You may request the correction or deletion of inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or unlawfully‑obtained personal information;
You may object to BrightRock's use of your personal information and request the deletion of such personal information (BrightRock will delete this information in line with our record‑keeping requirements);
You may object to the processing of personal information for the purposes of direct marketing by means of unsolicited electronic communication;
You may complain to BrightRock regarding the processing of your personal information by emailing complaints@brightrock.co.za;
You may complain to the Information Regulator regarding an alleged infringement of any of the rights protected under POPIA and PAIA and to institute civil proceedings regarding the alleged non‑compliance with the protection of, or access to, your personal information;
You may complain to the Information Regulator using the complaint form available on the website of the Regulator. Their contact details are:
The Information Regulator (South Africa)
Woodmead North Office Park, 54 Maxwell Drive Woodmead, Johannesburg, 2191
PO Box 31533, Braamfontein, Johannesburg, 2017
Complaints about any denied PAIA request, email: PAIAComplaints@inforegulator.org.za
Complaints about the misuse of your personal information, email: POPIAComplaints@inforegulator.org.za
General enquiries email: enquiries@inforegulator.org.za
If you've got any questions, please email informationofficer@brightrock.co.za or call us on 0860 00 77 44.
This privacy policy was last updated in August 2025.