Privacy Policy

Netcare Limited trading as Netcare Health OS is committed to protecting personal information — especially patient health information — in accordance with POPIA.

This Privacy Policy applies to all users of the Netcare Health OS platform, including practice administrators, healthcare practitioners, staff, and patients whose data is processed through the Platform.

Name: David M. Hampton, Managing Director, Touchline Agency (Pty) Ltd t/a VisioHealth

Email: davidhampton@visiocorp.co

Patient health information is classified as special personal information under POPIA s26. We process it only:

• With explicit patient consent for treatment purposes

• For medical diagnosis and treatment by a healthcare practitioner

• To comply with legal obligations (ICD-10 coding, medical aid claims)

Health data receives the highest level of protection, including encryption at rest and in transit, audit logging of all access, and role-based access controls.

Practice data: Practice name, address, contact details, branding, subscription details

Staff data: Name, email, role, access permissions

Patient data: Name, ID number, contact details, medical history, allergies, medications, vitals, consultation notes, billing records

Consent records: Consent type, method, timestamp, IP address, revocation status

Technical data: IP address, browser information, access logs, audit trail

The Platform uses Anthropic Claude AI for clinical decision support (triage, follow-up, intake, billing, scheduling). When AI features are used:

• Patient information is sent in de-identified or minimally-identified form where possible

• AI responses are generated in real-time and are not stored by the AI provider for training

• Clinical responsibility for any action taken based on AI suggestions remains with the treating practitioner

• Supabase (AWS): Database and authentication — EU/US

• Anthropic (Claude): AI clinical decision support — United States

• ElevenLabs: Voice synthesis for AI agent — United States

Cross-border transfers comply with POPIA s72.

Patient medical records: Retained per HPCSA guidelines (minimum 5 years after last consultation for adults, until age 21 for minors)

Billing records: 5 years (tax and legal compliance)

Audit logs: 3 years

Practice data: Duration of subscription + 1 year

After retention periods, data is securely deleted or anonymised.

• Right of access: Request a copy of your personal information

• Right to correction: Request correction of inaccurate data

• Right to deletion: Request deletion where legally permitted (note: medical record retention requirements may apply)

• Right to object: Object to processing for direct marketing

• Right to withdraw consent: Withdraw marketing or research consent at any time

Submit a data subject request at /data-request or contact privacy@touchlineagency.co.za. We respond within 30 days.

In the event of a breach involving patient health information, we will:

• Notify the Information Regulator as soon as reasonably possible

• Notify affected patients and practices

• Notify HPCSA if clinical data is compromised

• Take immediate containment and remediation steps

The Platform provides built-in consent tracking for:

• Treatment consent (required for patient care)

• Data processing consent (POPIA requirement)

• Marketing consent (opt-in, per POPIA s69)

• Research consent (separate, explicit opt-in)

Consent records include method (digital/paper/verbal), timestamp, and revocation tracking.

Privacy: privacy@touchlineagency.co.za

General: info@netcare.co.za

Information Regulator: complaints.IR@justice.gov.za