Privacy Policy

1. Introduction

SureNett is an intelligent health insurance platform developed and operated by CoreNett Limited ("CoreNett," "we," "our," or "us"). CoreNett Limited is a systems infrastructure company incorporated in the Republic of Ghana, with its principal place of business at House #134 University Farm Road, Accra, Ghana.

This Privacy Policy describes how SureNett collects, uses, stores, shares, and protects personal information when you: (a) visit or interact with our website at www.surenett.com (the "Website"); (b) engage with us for business or procurement purposes; (c) access or use the SureNett platform; or (d) contact us for any other reason.

We are committed to processing personal data responsibly, transparently, and in compliance with applicable law — including the Data Protection Act, 2012 (Act 843) of Ghana, the regulations of the Data Protection Commission of Ghana, and other applicable data protection and privacy frameworks to the extent they apply to our operations.

Please read this Policy carefully. By accessing or using the Website or our services, you acknowledge that you have read and understood this Policy.

2. Scope of This Policy

This Policy applies to:

• Website visitors — individuals who browse www.surenett.com, submit forms, or otherwise interact with the Website.
• Prospective clients and partners — individuals who contact SureNett for business enquiries, demonstrations, or partnership discussions.
• Enterprise clients and their authorised representatives — organisations and individuals who enter into agreements to use the SureNett platform.
• Platform end-users — individuals whose data is processed through SureNett on behalf of our enterprise clients (where SureNett acts as a data processor).
• Employees, contractors, and service providers — to the limited extent addressed by this Policy; separate internal policies govern employee data.

Where SureNett processes personal data on behalf of an enterprise client (e.g., claims data or beneficiary records), the enterprise client is the data controller and SureNett acts as a data processor. In those cases, the client's own privacy notice governs end-users' rights, and SureNett's obligations are governed by the applicable data processing agreement.

3. Data Controller Information

For personal data collected directly through the Website and corporate interactions, CoreNett Limited is the data controller:

4. Information We Collect

SureNett collects personal information only where it is necessary and proportionate to the purposes described in this Policy.

4.1 Website Visitors

When you visit or interact with our Website, we may collect:

• Contact and enquiry data: name, email address, phone number, company name, and job title — provided when you complete a contact form, book a demonstration, or subscribe to communications.
• Communication data: the content of messages or enquiries you send us, including supporting attachments.
• Automatically collected technical data: IP address; browser type and version; operating system; referring URL; pages visited and time spent; device identifiers; language preferences.
• Cookie and tracking data: session identifiers and analytics data as described in Section 7 below.

4.2 Enterprise Clients and Business Representatives

In the course of a business relationship, we may collect:

• Identity and contact information of authorised representatives (name, title, business email, telephone).
• Contractual and commercial information (signed agreements, purchase orders, billing details).
• Communications records (emails, meeting notes, support tickets).
• Technical access credentials and audit logs for platform environments.

4.3 Health Insurance Platform Data

Where SureNett is deployed on behalf of an insurer, health maintenance organisation, or scheme administrator, personal data processed may include:

• Beneficiary identity data (name, date of birth, national ID, health insurance number).
• Clinical and treatment data (diagnoses, procedures, clinical notes relevant to claims adjudication).
• Claims and authorisation data (pre-authorisation requests, claims submissions, adjudication outcomes, supporting documentation).
• Health insurance eligibility, coverage, and enrolment information.
• Provider information (healthcare facility details, provider credentials, billing codes).

This data is processed on behalf of the enterprise client (the controller). SureNett does not use this data for its own commercial purposes beyond operating the contracted service.

4.4 Special Categories of Data

Health information processed through the SureNett platform constitutes sensitive personal data under the Ghana Data Protection Act. We apply heightened security and access controls to such data and process it only on the basis of explicit consent, contractual necessity, or legal obligation.

4.5 Data We Do Not Collect

SureNett does not:

• Sell or rent personal information to third parties.
• Collect sensitive personal data through the Website without a specific operational need and appropriate safeguards.
• Use facial recognition or biometric identification on Website visitors.

5. Legal Basis for Processing

SureNett processes personal data on the following legal grounds under the Ghana Data Protection Act, 2012 (Act 843) and, where applicable, equivalent provisions of international frameworks:

6. How We Use Your Information

6.1 Website and Corporate Operations

• To respond to enquiries, demonstration requests, and support communications.
• To provide you with information about SureNett products and services where you have requested this.
• To manage and administer contracts and commercial relationships.
• To send transactional and service communications (e.g., confirmations, invoices, updates).
• To conduct due diligence for business partnerships or vendor engagements.

6.2 Platform Operations (on behalf of enterprise clients)

• To provision, maintain, and operate the SureNett platform as contracted.
• To process claims, pre-authorisation requests, eligibility checks, and adjudication workflows as directed by the enterprise client.
• To provide technical support, incident management, and system monitoring.
• To enforce contractual service levels and conduct quality assurance.

6.3 Security and Compliance

• To detect, investigate, and prevent fraudulent claims, unauthorised access, and security incidents.
• To comply with regulatory reporting obligations to the Data Protection Commission, the National Health Insurance Authority (NHIA), and other applicable regulators.
• To maintain audit trails and records as required by law or contract.

6.4 Analytics and Improvement

• To analyse website usage patterns in aggregate to improve navigation and content.
• To measure platform performance, identify system issues, and enhance service reliability.
• To develop de-identified or aggregated insights for product improvement and strategic planning.

6.5 Marketing (Opt-In Only)

• To send newsletters, product updates, or event invitations where you have consented to receive such communications.
• You may withdraw marketing consent at any time by clicking 'unsubscribe' in any marketing email or by contacting us at enquiries@corenett.com.

7. Cookies and Similar Technologies

We use cookies and similar tracking technologies on our Website. A cookie is a small text file placed on your device to help us provide a better user experience. We distinguish between the following categories:

You can manage cookie preferences at any time through your browser settings or our cookie preference centre on the Website. Disabling cookies may affect certain Website functions.

8. Data Sharing and Third-Party Disclosure

SureNett does not sell, rent, or trade your personal information. We may share data only in the following circumstances:

8.1 Authorised Sub-Processors and Service Providers

We engage trusted third-party vendors who process data on our behalf under written data processing agreements that require them to maintain equivalent data protection standards. Categories include:

• Cloud infrastructure and hosting providers (servers, storage, backup).
• Email delivery and notification service providers.
• Analytics and monitoring platforms (configured for data minimisation and anonymisation where applicable).
• Customer relationship management (CRM) and helpdesk platforms.
• Security and fraud detection services.

8.2 Enterprise Clients

Where SureNett acts as a data processor on behalf of an enterprise client, data may be shared back with that client or other processors they have authorised, strictly as directed by the client and within the scope of the data processing agreement.

8.3 Regulatory and Government Authorities

We may disclose personal data where required to do so by law, court order, or regulatory directive — including to the Data Protection Commission, the National Health Insurance Authority (NHIA), or any other competent authority with jurisdiction.

8.4 Corporate Transactions

In the event of a merger, acquisition, restructuring, or sale of all or part of CoreNett's business, personal data may be transferred as part of that transaction. We will provide notice and ensure appropriate safeguards are maintained.

8.5 With Your Consent

We may share data with third parties where you have given explicit, informed consent for a specific purpose not otherwise covered by this Policy.

9. Artificial Intelligence and Automated Decision-Making

The SureNett platform embeds artificial intelligence, machine learning, and automated decision-support capabilities. We are committed to responsible AI governance, including:

9.1 How AI Is Used

• Claims adjudication support: AI models analyse clinical and billing data to flag anomalies, support adjudication decisions, and assist fraud detection. Final determinations in high-impact cases remain subject to human review.
• Real-time fraud detection: Automated rules and anomaly detection identify suspicious patterns in claims submissions before payment is processed.
• Operational intelligence: AI-driven analytics detect system anomalies, optimise workflows, and generate operational insights for insurers and scheme administrators.

9.2 Your Rights Regarding Automated Decisions

Where a decision produces a significant legal or equivalent effect and is based solely on automated processing, individuals have the right to:

• Request human review of the automated decision.
• Obtain a plain-language explanation of the logic involved.
• Contest the decision and provide additional context.

To exercise these rights, contact enquiries@corenett.com. In many cases, the relevant enterprise client (not SureNett) is the controller responsible for responding to such requests.

9.3 AI Governance Principles

• Accuracy and fairness: AI models are periodically audited for bias, accuracy, and proportionality.
• Data minimisation: models are trained and operated using the minimum data necessary for the stated purpose.
• Explainability: SureNett aims to deploy AI in a manner that supports meaningful human oversight.
• Security: AI infrastructure is subject to the same access controls and security standards as our broader platform estate.

10. International Data Transfers

SureNett is headquartered in Ghana and primarily processes data within Ghana. Where it is necessary to transfer personal data to service providers or infrastructure located outside Ghana, we ensure appropriate safeguards are in place, which may include:

• Standard contractual clauses or equivalent contractual protections.
• End-to-end encryption of data in transit and at rest.
• Data minimisation — transferring only what is strictly necessary for the processing purpose.
• Restricted access controls limiting who can view transferred data.

We do not transfer data to jurisdictions that we assess as presenting an unacceptable risk to the rights and freedoms of data subjects without additional safeguards.

11. Data Security

SureNett implements a layered security architecture to protect personal data against unauthorised access, loss, disclosure, or destruction:

• Encryption in transit (TLS 1.2 or higher) and encryption at rest for sensitive data stores.
• Role-based access controls (RBAC) and principle of least privilege for all production systems.
• Multi-factor authentication (MFA) for system access by staff and contractors.
• Continuous monitoring, intrusion detection, and security information and event management (SIEM).
• Regular vulnerability assessments, penetration testing, and security patch management.
• Staff training on data protection and information security.
• Documented incident response and business continuity procedures.

No method of data transmission or storage is completely secure. While we take rigorous measures, we cannot guarantee absolute security. If you believe your personal data has been compromised, please notify us promptly at enquiries@corenett.com.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, SureNett will:

• Notify the Data Protection Commission of Ghana within 72 hours of becoming aware of the breach, where feasible and required by law.
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights — including a description of the nature of the breach, the likely consequences, and measures taken or proposed.
• Where SureNett is acting as a data processor, notify the relevant enterprise client (controller) promptly to allow them to fulfil their notification obligations.
• Maintain an internal breach register documenting all security incidents, regardless of whether external notification is required.

13. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law or contract. Key retention considerations include:

• Website enquiry and contact data: retained for up to 24 months from last interaction, or until you request deletion.
• Contractual and commercial records: retained for the duration of the contract and for up to 7 years thereafter, consistent with Ghanaian commercial law.
• Claims and adjudication records: retained as required by NHIA regulations and applicable client contracts.
• Healthcare and clinical data: retained in accordance with Ghana Health Service guidelines, NHIA regulations, and applicable clinical standards — typically no less than 10 years for adult records.
• Security and audit logs: retained for a minimum of 12 months and up to 5 years depending on regulatory requirements and incident investigation needs.

When data is no longer required, we securely delete or anonymise it in accordance with our data destruction standards.

14. Your Privacy Rights

Under the Ghana Data Protection Act, 2012 (Act 843) and applicable regulations, you have the following rights in relation to your personal data:

To exercise any of these rights, please submit a written request to enquiries@corenett.com. We will respond within 30 days (extendable to 60 days for complex requests, with notice). We may need to verify your identity before processing your request.

Note: Where SureNett processes data as a data processor on behalf of an enterprise client, please direct your rights request to that organisation (the data controller) in the first instance. SureNett will cooperate with and assist the controller in responding.

15. Children's Privacy

The SureNett Website and platform are not directed to, or intended for use by, children under the age of 18 without the involvement of a parent, guardian, or authorised adult representative.

Where our platform processes data relating to minors (e.g., paediatric insurance beneficiaries), this is done solely on behalf of and under the instructions of the enterprise client (the controller), which is responsible for ensuring appropriate parental or guardian consent has been obtained.

If we become aware that we have inadvertently collected personal data from a child without proper authorisation, we will promptly delete that data and notify the relevant enterprise client.

16. Third-Party Links and Integrations

The Website may contain links to third-party websites, and our platform may integrate with external services (such as healthcare providers, laboratory information systems, or insurance administrator portals). This Policy does not apply to those third-party sites or services.

We encourage you to review the privacy policies of any third-party services you access. SureNett is not responsible for the data practices of third parties.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or operational circumstances. When we make material changes, we will:

• Update the 'Effective Date' and 'Version' at the top of this document.
• Post the revised Policy on www.surenett.com/privacy-policy.
• Where we hold your contact information and the change is material, we will endeavour to notify you directly by email.

Continued use of the Website or our services after the effective date of any update constitutes your acceptance of the revised Policy.

18. Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact our Privacy Office:

If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Commission of Ghana:

This Privacy Policy is effective as of 3 June 2026 and supersedes all prior versions.