Privacy Policy

Effective Date: 8 Sept 2025

This Privacy Policy explains how Docy ("Docy", "we", "our", "us") collects, uses, stores, and protects personal information when you use our platform and services. We are committed to handling information responsibly, in compliance with the Protection of Personal Information Act, 2013 (POPIA) and other applicable laws.

1. Roles and Responsibilities

Medical Practices: When a medical practice uses Docy to manage patient records, the practice is the Responsible Party under POPIA. Docy acts as an Operator, processing information on the practice's behalf.

Patients: When a patient directly provides or manages their own information in Docy (for example, through intake forms or uploading attachments), the patient is the Responsible Party for that data. Docy acts as the Operator.

Shared Profiles: If a patient's profile is linked to them but their practice also adds information (such as clinical notes, prescriptions, or results), the practice is the Responsible Party for the information it contributes. The patient remains entitled to access and control their overall profile.

Docy does not independently determine the purposes for which personal or health information is processed.

2. Information We Collect

We may collect and process the following categories of information:

Account and Subscription Information

Names, email addresses, contact details, billing information, and practice details.

User Information

Login credentials, role or permission settings, and usage activity.

Patient Information

Health records, attachments (e.g. x-rays, test results, lab reports), prescriptions, notes, and medical history.

Information may be provided by a Practice, by a Patient, or jointly within the same profile.

Technical Information

Device type, operating system, browser type, IP address, and usage analytics.

3. How We Use Information

We use personal information only for legitimate purposes, including:

  • Providing, maintaining, and improving the Docy platform.
  • Managing accounts, subscriptions, billing, and customer support.
  • Ensuring system security and preventing unauthorised access.
  • Complying with legal and regulatory obligations.
  • Generating anonymised or aggregated insights for product development and research (never linked to identifiable individuals).

4. Patient Data

Patient Data remains under the control of the Responsible Party who created or submitted it.

Where both a Patient and a Practice contribute to the same profile, each is responsible for the information they add.

Patients retain the right to access and share the entirety of their profile, including records added by their Practice, with another Practice or healthcare provider of their choice.

Docy processes Patient Data only as instructed by the Responsible Party and does not use Patient Data for its own purposes.

5. Legal Basis for Processing

We process personal information on the following legal grounds:

  • Performance of a contract – to deliver the Docy platform and services.
  • Compliance with law – to meet legal and regulatory obligations.
  • Legitimate interests – such as maintaining security, improving our services, and preventing misuse.
  • Consent – where required, for example, for marketing communications.

6. Sharing of Information

We may share personal information only with:

  • Service providers who assist us in hosting, storage, payment processing, analytics, and support.
  • Regulators or legal authorities when disclosure is legally required.
  • Third-country service providers, only where appropriate safeguards are in place to protect personal data.

All service providers are bound by contractual confidentiality and data protection obligations.

7. Security

We implement appropriate organisational and technical safeguards to protect personal information, including encryption, secure hosting, and access controls. While we take all reasonable steps, no system is entirely secure, and we cannot guarantee absolute protection.

8. Data Retention

Account and subscription data are retained for as long as a Practice or Patient account remains active.

Patient Data is retained only while the Responsible Party uses our services. Upon account termination, Patient Data is deleted in line with our retention policy, unless otherwise required by law.

Aggregated, non-identifiable information may be retained for research or product development.

9. Individual Rights

Under POPIA, individuals have the right to:

  • Access their personal information.
  • Request correction or deletion of inaccurate or outdated information.
  • Object to the processing of their personal information.
  • Withdraw consent where processing is based on consent.
  • Port and share their data – Patients may share their profile, including data added by a Practice, with another Practice or provider.

If a Practice is the Responsible Party, patients may direct requests to their Practice. Docy will assist Practices in fulfilling such requests.

If a Patient is the Responsible Party for their own account, they may exercise rights directly with Docy.

In shared profiles, Patients may exercise rights over all data linked to their profile, even where entered by their Practice.

10. Marketing Communications

We may send service-related communications (such as system updates and important notices).

Marketing communications are only sent with consent. Recipients may opt out at any time.

11. Cross-Border Data Transfers

Personal information may be stored or processed outside South Africa in countries with adequate protection standards comparable to POPIA. Where transfers occur, appropriate safeguards are applied.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website, and material changes will be communicated to users.

13. Contact Us

If you have any questions about this Privacy Policy or how your information is handled, please contact:

Docy
Email: support@docy.com