HPCSA-registeredSAHPRA-authorisedPOPIA-secure

DOCTO24
Sign inCHECK ELIGIBILITY
← All policies

Formal disclosure

POPIA Compliance Manual

Effective 15 April 2026

Draft — pending legal review. This document is a working template based on standard South African healthcare-telemedicine practice. It will be reviewed and signed off by a HPCSA- and POPIA-qualified attorney prior to public launch.

This manual is the formal compliance documentation required of Docto24 (Pty) Ltd (the "Responsible Party") under the Protection of Personal Information Act, 2013 ("POPIA"). For a plain-language summary written for patients, see the Privacy notice.

1. Responsible Party

Legal entity
Docto24 (Pty) Ltd
Registration number
To be confirmed prior to launch
Registered address
To be confirmed prior to launch · Cape Town, South Africa
Postal address
To be confirmed prior to launch
Email
privacy@docto24.co.za

2. Information Officer

Per POPIA section 56, the Responsible Party has appointed an Information Officer who is registered with the Information Regulator.

Name
To be appointed prior to launch
Role
Director, Docto24 (Pty) Ltd
Email
io@docto24.co.za
Phone
To be confirmed

3. Purposes of processing

  • Account management: identification, authentication, and communication with the data subject.
  • Clinical care: consultation, prescription, SAHPRA Section 21 application, and dispensing routing.
  • Payment processing: consultation and SAHPRA application fees via PayFast.
  • Audit and compliance: records of doctor decisions, SAHPRA submissions, and dispense events for HPCSA, SAHPRA, and tax-law retention.
  • Security: fraud prevention, abuse detection, and incident response.
  • Marketing: none. No direct-marketing processing is performed.

4. Categories of data subjects

  • Patients holding a Docto24 account
  • HPCSA-registered doctors on the panel
  • Pharmacy contact persons at partner pharmacies
  • Pre-registration enquirers (where they have provided contact information)

5. Categories of personal information processed

Standard personal information

  • Name, contact details (email, phone)
  • South African identification number (where required for SAHPRA submission)
  • Postal and delivery address
  • Authentication metadata (IP, device, timestamps)

Special personal information (POPIA section 26)

Health information is processed under the POPIA section 32 healthcare exemption (treatment, care, and medication management by a regulated health practitioner). This includes:

  • Eligibility-assessment questionnaire content
  • Clinical notes and prescribing decisions
  • SAHPRA Section 21 application content and reference numbers
  • Dispensing records (product, quantity, date)

6. Recipients of personal information

Operators (POPIA section 30)

  • Supabase Inc — authentication and database hosting (operator agreement in place)
  • PayFast (Pty) Ltd — payment processing
  • Email service provider — transactional notifications
  • Cloud hosting provider for the application layer

Third parties

  • SAHPRA — for Section 21 applications (legal obligation)
  • The HPCSA-registered doctor assigned to the case
  • The licensed pharmacy chosen by the patient for dispensing
  • SARS — for tax records relating to consultation fees

7. Cross-border transfers (POPIA section 72)

Where any operator stores or processes personal information outside South Africa, we rely on contractual safeguards equivalent to the protection afforded by POPIA. Where no such safeguards exist, we obtain the data subject’s consent before transfer or rely on another lawful exception under section 72.

8. Security safeguards (POPIA section 19)

  • TLS 1.2+ encryption for all data in transit
  • Encryption at rest at the storage layer
  • Row-level security (RLS) policies on patient-scoped data
  • Supabase Auth with magic-link authentication
  • Audit logging of administrative and clinical events
  • Principle of least privilege for staff and operator access
  • Documented incident-response procedure with notification under section 22

9. Retention periods (POPIA section 14)

Clinical records
6 years from last interaction (HPCSA records-management standard)
SAHPRA application records
6 years (SAHPRA reporting requirement)
Audit logs
6 years
Payment records
5 years (Tax Administration Act, FICA)
Account information
Until deletion request, subject to clinical retention above

10. Data subject rights and request procedures

Data subjects may exercise the rights set out in POPIA sections 23, 24, and 25 by emailing privacy@docto24.co.za. Requests are acknowledged within 5 business days and resolved within 30 calendar days.

For formal access requests, see our PAIA Manual. Data subjects may also lodge a complaint with the Information Regulator (see section 12).

11. Direct marketing (POPIA section 69)

Docto24 does not conduct direct marketing by electronic communication. If we introduce such marketing in future, opt-in consent will be obtained and an unsubscribe mechanism provided in every message.

12. Information Regulator contact

Authority
Information Regulator (South Africa)
Website
inforegulator.org.za
Complaints
complaints.IR@justice.gov.za