HPCSA-registeredSAHPRA-authorisedPOPIA-secure

DOCTO24
Sign inCHECK ELIGIBILITY
← All policies

For patients

Privacy notice

Effective 15 April 2026

Draft — pending legal review. This document is a working template based on standard South African healthcare-telemedicine practice. It will be reviewed and signed off by a HPCSA- and POPIA-qualified attorney prior to public launch.

This notice explains how Docto24 (Pty) Ltd ("Docto24", "we", "us") collects, uses, and protects the personal information of patients and visitors to our platform, as required by the Protection of Personal Information Act, 2013 ("POPIA"). For the formal POPIA compliance manual see our POPIA Manual.

1. Who we are

Docto24 is the responsible party for the information described in this notice. We are a South African private company providing a regulated telemedicine pathway for SAHPRA Section 21 access to medical cannabis.

Legal entity
Docto24 (Pty) Ltd
Registered address
To be confirmed prior to launch · Cape Town, South Africa
Information Officer
To be appointed under POPIA section 56 · privacy@docto24.co.za

2. What information we collect

Account information

  • Full name and email address (mandatory for account creation)
  • Phone number (optional, used for clinical follow-up)
  • South African ID number (collected only when required for SAHPRA Section 21 application)

Clinical information

  • Your eligibility-assessment questionnaire answers
  • Doctor’s clinical notes and the prescribing decision
  • Section 21 application details and approval status
  • Pharmacy dispensing records (product, quantity, date)

Technical information

  • Authenticated session cookies (Supabase Auth)
  • Device, browser, and IP address (for security and audit)
  • No third-party advertising or analytics trackers are used

3. Why we collect it

  • To allow a HPCSA-registered doctor to clinically review your case
  • To file a SAHPRA Section 21 application on your behalf where appropriate
  • To route an approved prescription to the partner pharmacy you choose
  • To process payment for the consultation
  • To maintain a clinical and audit trail as required by HPCSA records-management standards

4. Lawful basis for processing

  • Consent for the processing of clinical information (POPIA section 11(1)(a)) — given via the consent checkbox in the eligibility assessment.
  • Performance of a contract for account, payment, and dispensing operations (section 11(1)(b)).
  • Legal obligation for SAHPRA Section 21 applications and HPCSA record retention (section 11(1)(c)).
  • Legitimate interest for security, fraud prevention, and audit logging (section 11(1)(f)).

Health information is "special personal information" under POPIA section 26 and is processed under the section 32 healthcare exemption (treatment, care, and medication management).

5. Who we share your information with

  • The HPCSA-registered doctor assigned to review your case
  • The South African Health Products Regulatory Authority (SAHPRA), for Section 21 applications
  • The licensed partner pharmacy you select for dispensing
  • PayFast (Pty) Ltd — payment processing of the consultation fee
  • Supabase Inc — authentication and database hosting (operator under POPIA section 30)
  • Email service provider for transactional messages (operator)

We do not sell your information. We do not share it with marketers. Operators process information on our written instruction and under signed operator agreements per POPIA section 21.

6. How long we keep your information

  • Clinical records and audit logs: 6 years from last interaction, per HPCSA records-management guidelines and SAHPRA reporting requirements.
  • Account information: until you request deletion, after which non-clinical data is removed. Clinical records remain under the HPCSA retention rule above.
  • Payment records: 5 years per the Tax Administration Act and the Financial Intelligence Centre Act.

7. Your POPIA rights

You have the right to:

  • Be informed about the processing of your information (this notice)
  • Access the information we hold about you
  • Request correction of inaccurate information
  • Request deletion (subject to legal retention obligations)
  • Object to processing on legitimate-interest grounds
  • Lodge a complaint with the Information Regulator — inforegulator.org.za

8. Cross-border transfers

Where any operator stores or processes your information outside South Africa, we will only do so where the recipient is subject to a law, binding corporate rules, or contract that provides a comparable level of protection (POPIA section 72). We will update this notice if our hosting region changes.

9. Video consultations

Patients who choose the Premium Video tier are connected to their doctor via a third-party healthcare video platform (Doxy.me; later iterations may use Whereby or Daily.co — any successor vendor will be HIPAA/GDPR-equivalent and disclosed here). The video stream itself is end-to-end encrypted, is not recorded by default, and is not persisted on our servers — we only store the scheduled time and the meeting URL for audit purposes. The vendor processes the stream outside South Africa; this transfer is covered under POPIA section 72 adequacy provisions and a signed data processing agreement.

Before the session starts, the doctor identifies themselves with their HPCSA registration number — this fulfils HPCSA Telehealth Guideline Booklet 10 identification and transparency requirements. If you do not consent to a particular transmission medium, you may request a switch to the Standard Async tier at any time before the session; any Video-tier price difference is refunded pro-rata.

Session recording is never enabled without your explicit opt-in. If a recording feature ships in the future, it will only be offered on a per-session consent basis with clear retention and deletion terms.

10. Security safeguards

We apply technical and organisational measures appropriate to the sensitivity of the information we process, including encryption in transit, encryption at rest, row-level access control, audit logging, principle-of-least-privilege access for staff, and incident-response procedures.

11. Contact for data requests

For any access, correction, deletion, or objection request, write to privacy@docto24.co.za. We respond within 30 days as required by POPIA. For formal requests under PAIA, see our PAIA Manual.

12. Updates to this notice

We may update this notice from time to time. Material changes will be communicated by email to account holders at least 14 days before they take effect. The current version is always available at this URL.