HH-PRIV-001 · Version 1.0
In compliance with the Protection of Personal Information Act (POPIA), Act 4 of 2013
Effective Date: 10 March 2026 · Information Officer: Dr Musa Chauke
HealthHalo (Pty) Ltd ("HealthHalo", "we", "us", or "our") is a South African telemedicine and home visit platform operated by registered medical practitioners. We are committed to protecting the privacy and personal information of every patient and visitor who uses our services.
This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, who we share it with, and what your rights are under the Protection of Personal Information Act (POPIA), Act 4 of 2013.
| Detail | Information |
|---|---|
| Company Name | HealthHalo (Pty) Ltd |
| Registration Number | 2026/208414/07 |
| Tax Reference Number | 9190835281 |
| Registered Address | South Africa |
| hello@healthhalo.co.za | |
| Website | healthhalo.co.za |
| Information Officer | Dr Musa Chauke |
| Information Officer Email | dr.mchauke@healthhalo.co.za |
We collect only the information that is necessary to provide you with safe, accurate, and legally compliant medical consultation services.
| Category | Examples | When Collected |
|---|---|---|
| Identity Information | Full name, date of birth, ID / passport number, gender | Registration & booking |
| Contact Information | Phone number, email address, physical address | Registration & booking |
| Medical Aid Information | Medical aid scheme, membership number, dependent code | Booking & billing |
| Health Information | Medical history, current medications, allergies, symptoms, diagnoses, clinical notes, prescriptions, sick notes, referral letters | Consultation |
| Clinical Images | Photographs of skin conditions, wounds, rashes uploaded by you | Pre-consultation |
| Payment Information | Payment method, EFT proof of payment (for verification) | Payment processing |
| Guardian Information | Parent/guardian details for minor patients | Minor consultations |
| Category | Examples | Purpose |
|---|---|---|
| Technical Data | IP address, browser type, device type | Security and fraud prevention |
| Usage Data | Pages visited, session duration, consultation logs | Platform improvement |
| Consent Records | Timestamp and IP of consent given | Legal compliance |
We process your personal information only for the following lawful purposes:
| Purpose | Lawful Basis (POPIA) | Details |
|---|---|---|
| Medical consultation | Contractual necessity + consent | To deliver the telemedicine or home visit service you requested |
| Clinical record keeping | Legal obligation + consent | HPCSA requires clinical records for every consultation |
| Billing and payment | Contractual necessity | To process your payment via PayFast or EFT |
| Medical aid claims | Consent | To submit a claim on your behalf to your medical aid scheme |
| Appointment communications | Contractual necessity | Booking confirmations, reminders, and post-consult documents via email and SMS |
| Emergency escalation | Vital interest | To direct you to emergency services if red-flag symptoms are detected |
| Legal compliance | Legal obligation | HPCSA guidelines, National Health Act, POPIA, SARS records |
| AI-assisted intake | Consent | To use AI to pre-screen symptoms and assist the doctor with a pre-consult brief |
| Platform security | Legitimate interest | To detect and prevent fraud, abuse, and unauthorised access |
HealthHalo shares your personal information only where strictly necessary and only with parties who are bound by confidentiality agreements and data processing agreements (DPAs).
| Processor | Role | Data Shared | Location |
|---|---|---|---|
| Supabase | Database & file storage | All personal and health data | USA (GDPR-compliant) |
| Vercel | Web hosting & platform delivery | Session data, IP address | USA (GDPR-compliant) |
| Google (Workspace & Meet) | Email communication & video consultations | Name, email, consultation link | USA (GDPR-compliant) |
| Anthropic (Claude AI) | AI-assisted symptom intake and pre-consult brief | Anonymised symptom data only | USA (GDPR-compliant) |
| PayFast | Payment processing | Payment method, transaction amount | South Africa |
| BulkSMS | SMS notifications | Phone number, appointment details | South Africa |
| Resend | Transactional email delivery | Name, email, consultation documents | USA (GDPR-compliant) |
Where you request medical aid billing, we share the minimum necessary clinical information (ICD-10 diagnosis code, tariff code, date of service, your membership details) with:
We may disclose personal information without your consent where required by law, including:
| Security Measure | Details |
|---|---|
| Encryption at rest | All data stored in Supabase is encrypted using AES-256 |
| Encryption in transit | All data transmitted over HTTPS/TLS 1.2+ |
| Access control | Row-level security — each patient accesses only their own records |
| Authentication | Multi-factor authentication required for doctor access |
| Audit logging | All access to clinical records is logged with timestamp and user ID |
| Breach notification | You and the Information Regulator will be notified within 72 hours of a confirmed breach |
| Staff access | Only treating doctors can access patient health records |
| AI data handling | Symptom data passed to Claude AI is processed per Anthropic's data processing agreement and is not used to train AI models |
| Record Type | Retention Period | Reason |
|---|---|---|
| Clinical records (SOAP notes, prescriptions, sick notes) | 5 years minimum | HPCSA guidelines + National Health Act |
| Clinical photographs and images | 5 years minimum | HPCSA guidelines |
| AI intake forms and symptom data | 5 years minimum | Continuity of care |
| Payment and transaction records | 5 years | SARS tax compliance |
| Consent records | 5 years minimum | Legal compliance |
| Account and registration data | Duration of account + 1 year | Contractual necessity |
| Technical and session logs | 12 months | Security monitoring |
After the retention period, records are securely and permanently deleted or anonymised. You may request early deletion of non-clinical data — see Section 8 for your rights.
As a data subject under POPIA, you have the following rights:
| Right | What It Means | How to Exercise |
|---|---|---|
| Right of Access | Request a copy of all personal information HealthHalo holds about you | Email hello@healthhalo.co.za — we will respond within 30 days |
| Right to Correct | Request correction of inaccurate or incomplete personal information | Email hello@healthhalo.co.za with the correction required |
| Right to Delete | Request deletion of your personal information (subject to legal retention obligations) | Email hello@healthhalo.co.za — clinical records must be kept for 5 years |
| Right to Object | Object to the processing of your personal information for non-essential purposes | Email hello@healthhalo.co.za |
| Right to Withdraw Consent | Withdraw consent for any processing based on consent at any time | Email hello@healthhalo.co.za — withdrawal does not affect past processing |
| Right to Complain | Lodge a complaint with the Information Regulator if you believe your rights have been violated | enquiries@inforegulator.org.za |
The HealthHalo platform uses essential cookies and session tokens only. We do NOT use third-party advertising cookies, tracking pixels, or behavioural profiling tools.
| Cookie Type | Purpose | Duration |
|---|---|---|
| Session token | Keeps you logged in during your session | Session (deleted on logout) |
| Authentication token | Secure authentication via Supabase Auth | 7 days |
| Consent timestamp | Records that you accepted the consent form | Session |
The HealthHalo platform may contain links to third-party websites or services (e.g. Google Meet consultation links). HealthHalo is not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you access.
HealthHalo may provide medical consultation services to minor patients (under 18 years) where a parent or legal guardian provides consent. We do not knowingly collect personal information from minors without parental or guardian consent. Where a minor's information is provided, it is treated with the same (or greater) level of protection as adult patient data.
HealthHalo may update this Privacy Policy from time to time. Changes will be published on healthhalo.co.za with a revised effective date. Where changes are material, we will notify registered users by email. Continued use of our services after a policy update constitutes acceptance of the updated policy.
| Version | Date | Changes |
|---|---|---|
| 1.0 | 10 March 2026 | Initial Privacy Policy — platform launch |
For any questions, requests, or complaints regarding this Privacy Policy or the handling of your personal information, please contact:
| Information Officer | Dr Musa Chauke — HealthHalo (Pty) Ltd |
| hello@healthhalo.co.za | |
| Website | healthhalo.co.za |
| Postal Address | HealthHalo (Pty) Ltd, South Africa |
| Information Regulator (Complaints) | enquiries@inforegulator.org.za |
HealthHalo (Pty) Ltd · Reg No: 2026/208414/07 · Tax No: 9190835281
hello@healthhalo.co.za · healthhalo.co.za
Information Officer: Dr Musa Chauke (HPCSA: MP0995363 · Practice: 1298887)
Co-Founder: Dr Sphiwe Chauke (HPCSA: MP0993719 · Practice: 1297988)