POPIA Compliant

Privacy Policy

How MedConsult collects, processes, stores and protects your personal and health information in compliance with South African law.

Effective: 1 January 2026
Last updated: 1 January 2026
Version: 1.0

1. About this Policy

This Privacy Policy explains how MedConsult (Pty) Ltd ("MedConsult", "we", "us", "our") collects, processes, stores and protects your personal information when you use our practice management platform available at medconsult.africa and any associated sub-portals (the "Platform").

MedConsult is a registered South African company and is committed to protecting your privacy in accordance with the Protection of Personal Information Act, 2013 (POPIA), the Health Professions Council of South Africa (HPCSA) ethical guidelines, the National Health Act, 2003, and applicable international standards including the General Data Protection Regulation (GDPR) where relevant.

By using MedConsult, you acknowledge that you have read and understood this Policy. If you do not agree with any part of this Policy, you must not use the Platform.

2. Definitions

For the purposes of this Policy, the following terms have the meanings set out below:

  • Personal Information: Information relating to an identifiable natural or juristic person, as defined in POPIA.
  • Special Personal Information: Personal information concerning a person's health, including medical history, diagnoses, treatments and prescriptions, as defined in POPIA section 26.
  • Responsible Party: The party who determines the purpose and means of processing personal information. MedConsult acts as Responsible Party in respect of platform account data, and as Operator in respect of patient clinical data on behalf of registered medical practitioners.
  • Data Subject: The natural person to whom personal information relates.
  • Processing: Any operation performed on personal information, including collection, recording, storage, retrieval, use, dissemination and deletion.
  • User: Any person who uses the Platform, including doctors, receptionists, practice administrators and patients.

3. Information We Collect

3.1 For Doctors and Practice Staff

  • Full name, email address, mobile number, physical address
  • HPCSA registration number and practice number
  • Specialisation and qualifications
  • Banking and billing details for subscription payments
  • Digital signature image and typed signature name
  • Practice details including name, VAT number, registered address
  • Login credentials (passwords are stored in hashed form only)

3.2 For Patients

  • Full name, date of birth, gender, identity number
  • Contact details including phone, WhatsApp and email
  • Physical and postal address
  • Medical aid scheme details (provider, member number, plan, principal member)
  • Emergency contact information
  • Blood type, known allergies and chronic conditions
  • Special Personal Information including consultation notes, diagnoses, ICD-10 codes, vital signs, prescribed medications, treatment plans, sick note details and referrals

3.3 Technical Information

  • IP address, browser type, device identifiers
  • Login timestamps and session activity
  • Audit logs of all read, write and delete operations on patient records
balance Lawful Basis for Special Personal Information

We process Special Personal Information (health data) only with explicit consent from the patient, or as necessary for the establishment, exercise or defence of a right or obligation in law, in accordance with POPIA sections 26 and 32.

4. Why We Collect It

We process personal information for the following specific, explicit and legitimate purposes:

PurposeLawful Basis
Providing the Platform service to doctors and practicesContractual necessity
Enabling patient record-keeping for treating practitionersOperator agreement with practitioner
Issuing medical certificates and prescriptionsPractitioner instruction and patient consent
Processing medical aid claims on behalf of practitionersPatient consent and Medical Schemes Act
Sending appointment reminders and notificationsPatient consent
Subscription billing and account managementContractual necessity
Audit logging and security monitoringLegal obligation and legitimate interest
Compliance with HPCSA record-retention requirementsLegal obligation

We do not use your personal information for purposes other than those listed above without obtaining your further consent.

6. Sharing Information

We do not sell, trade or rent personal information. We share information only as follows:

6.1 With Your Treating Practitioner

Patient clinical information is shared exclusively with the treating doctor and authorised members of their practice as configured under role-based access controls.

6.2 Within a Registered Practice

Where a doctor is a member of a registered practice on MedConsult:

  • Receptionists can access patient demographics, contact details and medical aid information but cannot access clinical records, diagnoses, sick notes or prescriptions. This restriction is enforced at the database level, not merely in the user interface.
  • Other doctors in the same practice can access shared patient records only where the patient is explicitly registered as a shared patient.
  • Practice administrators can access aggregated reporting and billing information but not individual clinical records unless they are also a treating practitioner.

6.3 Service Providers

We engage the following third-party service providers under appropriate data processing agreements:

  • Supabase Inc. — database hosting and authentication infrastructure
  • Vercel Inc. — application hosting and content delivery
  • PayFast (Pty) Ltd — payment processing for subscriptions
  • Resend — transactional email delivery

6.4 Legal Disclosure

We may disclose information where required by law, court order, or to protect the rights, property or safety of MedConsult, our users or others, including in response to:

  • Subpoenas or court orders from South African courts
  • HPCSA professional conduct investigations
  • Information Regulator enforcement notices
  • SARS tax compliance requests in respect of business records

7. Where We Store Data

Personal information processed through MedConsult is stored on encrypted servers operated by Supabase Inc., currently located in data centres in the European Union (EU).

public Cross-Border Transfer Notice

POPIA section 72 requires disclosure of cross-border data transfer. The EU enforces the General Data Protection Regulation (GDPR), which provides a level of data protection equivalent to or stronger than POPIA. By using MedConsult you consent to this transfer for the purpose of providing the service.

We are evaluating migration to AWS Cape Town region for full South African data sovereignty and will update this Policy and notify users prior to any such migration.

8. How We Protect It

MedConsult implements the following technical and organisational security measures to safeguard personal information:

8.1 Technical Safeguards

  • Encryption in transit: All data exchanged between your device and our servers uses TLS 1.3 encryption
  • Encryption at rest: All data stored in our database is encrypted at rest using AES-256
  • Row-Level Security: Database-level access controls ensure that each user can only access data they are authorised to see
  • Password hashing: Passwords are stored using bcrypt with appropriate salt rounds, never in plaintext
  • Audit logs: All data access and modifications are logged with timestamp, user identifier and action
  • Backup encryption: Automated daily encrypted backups with point-in-time recovery

8.2 Organisational Safeguards

  • Designated Information Officer responsible for POPIA compliance
  • Staff confidentiality agreements and access on a need-to-know basis
  • Regular security audits and vulnerability assessments
  • Incident response procedures for data breaches
  • Mandatory two-factor authentication for administrative access

8.3 Data Breach Notification

In the unlikely event of a security compromise, we will notify affected Data Subjects and the Information Regulator within 72 hours of becoming aware of the breach, in accordance with POPIA section 22.

9. How Long We Keep It

We retain personal information only for as long as necessary for the purposes for which it was collected, or as required by law:

Type of InformationRetention Period
Patient medical recordsMinimum 6 years from last consultation; 10 years where patient is a minor at time of treatment
Sick notes and prescriptions issued6 years (HPCSA requirement)
Invoices and financial records5 years (Tax Administration Act)
Medical aid claim records5 years (Medical Schemes Act)
Doctor account informationFor the duration of the subscription plus 1 year after termination
Audit logs3 years from the date of the logged event
Marketing consent recordsFor the duration of consent plus 3 years after withdrawal

After the applicable retention period expires, we will securely delete or anonymise the information.

10. Your Rights

Under POPIA, you have the following rights in relation to your personal information:

  • Right of access: Request a copy of personal information we hold about you
  • Right to correction: Request correction of inaccurate or incomplete information
  • Right to deletion: Request deletion of information that is no longer needed for the purpose for which it was collected, subject to legal retention obligations
  • Right to object: Object to processing for direct marketing or based on legitimate interest
  • Right to data portability: Receive your information in a structured, machine-readable format
  • Right to lodge a complaint: Lodge a complaint with the Information Regulator (see Section 13)

To exercise any of these rights, contact our Information Officer using the contact details in Section 13. We will respond to your request within 30 days of receipt.

warning Limitations on Deletion of Clinical Records

Patient clinical records cannot be deleted before the legal retention period expires (typically 6 years from last consultation, per the National Health Act). This protects both you and your treating practitioner. After the retention period, you may request deletion.

11. Cookies & Tracking

MedConsult uses the following types of cookies and similar technologies:

  • Essential cookies: Required for the Platform to function, including authentication tokens and session identifiers. These cannot be disabled.
  • Functional cookies: Remember your preferences such as language and display settings.
  • Analytics cookies: We use anonymised, aggregated analytics to understand how the Platform is used. These cookies do not identify individual users.

We do not use third-party advertising cookies or trackers. You can control cookies through your browser settings, though disabling essential cookies will prevent the Platform from functioning.

12. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. The "Last Updated" date at the top of this Policy will indicate when changes were made.

For material changes affecting your rights, we will notify you via email at least 30 days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

13. Contact Us

If you have questions about this Policy, wish to exercise your rights, or have any concerns about how we handle your information, please contact us:

Information Officer

Email: privacy@medconsult.africa

Postal: Information Officer, MedConsult (Pty) Ltd, [Your Registered Address]

Phone: [Your Contact Number]

We will respond to your inquiry within 30 days.

Information Regulator (South Africa)

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator:

Website: inforegulator.org.za

Email: complaints.IR@justice.gov.za

Postal: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

MedConsult (Pty) Ltd · Registration No: [Your CIPC Number] · Information Officer Registration: [Pending]