Privacy Policy

Medify AI Privacy Policy

Last Updated: 05 June 2025

1. Our Commitment to Your Privacy

Medify AI ("Medify AI," "we," "us," or "our") is committed to protecting the privacy and security of your personal information, particularly sensitive health-related data. This Privacy Policy outlines how we collect, use, disclose, process, and safeguard your information when you use our services, including our patient verification and tracking systems, our website, and any related applications (collectively, the "Services").

We understand the importance of trust in handling health information. Our systems are designed with privacy and security as core principles, aiming to comply with applicable data protection laws, including the Protection of Personal Information Act (POPIA) of South Africa.

2. Information We Collect

We collect information necessary to provide our Services effectively and securely. The types of information we may collect include:

Patient Information (for Verification, Tracking, and Billing):

  • Identifiers: Full name, national identification number (e.g., SA ID number), medical aid membership number, patient number assigned by healthcare providers.
  • Contact Information: Potentially phone number or email address if provided for communication related to our services (though primary data collection focuses on identifiers for verification).
  • Medical Aid Information: Details of your medical aid scheme and plan.

Service Utilization Data:

  • Dates, times, and duration of medical consultations or procedures (e.g., time spent in an operating theatre, tracked to the second or minute).
  • Location data specifically within a healthcare facility (e.g., operating theatre, doctor's practice) when using our in-hospital RFID tracking or similar technologies.
  • Verification records confirming your identity for a specific service.

Information from Healthcare Providers:

Information shared by hospitals or doctors' practices to facilitate verification and accurate billing, such as procedure codes or consultation details linked to your verified presence.

Healthcare Provider Information (Users of our System):

  • Practice name, registration numbers, contact details, and user credentials for accessing our platform.

Technical Information (when interacting with our website or applications):

  • IP address, browser type, operating system, device identifiers, and usage data (pages visited, features used). This is typically collected through cookies and similar technologies (see our Cookie Policy if applicable).

3. How We Use Your Information

We use your information for the following primary purposes:

To Provide and Improve Our Services:

  • Verify patient identity to ensure the correct individual is receiving care and being billed.
  • Track time accurately for medical procedures and consultations for precise billing.
  • Facilitate accurate billing submissions from healthcare providers to medical aids.
  • Prevent fraud, including medical aid card farming and overcharging.
  • Automate and streamline billing reconciliation processes.
  • Operate, maintain, and improve our RFID and other tracking technologies.
  • Develop and enhance "Smart Hospital" functionalities, such as patient flow management and resource optimization, with aggregated and anonymized data where appropriate.

To Communicate With You:

  • Respond to inquiries (if you contact us directly).
  • Provide service updates or important notices (primarily to our healthcare provider clients).

For Security and Compliance:

  • Protect the security and integrity of our Services and user data.
  • Comply with legal obligations, regulations, and lawful requests from authorities.
  • Enforce our terms and agreements.

For Analytics and Service Improvement (Aggregated/Anonymized):

To understand service usage patterns, identify areas for improvement, and develop new features. When used for these purposes, personal identifiers are removed or data is aggregated to protect individual privacy.

4. Legal Basis for Processing (Primarily under POPIA)

We process your personal information based on the following legal grounds:

  • Consent: Where required by law, or for specific uses not covered by other legal bases, we will obtain your explicit consent.
  • Contractual Necessity: To fulfill our contractual obligations to our clients (healthcare providers and medical aids) in providing our verification and billing services.
  • Legitimate Interests: For purposes such as fraud prevention, service improvement, and security, provided these interests are not overridden by your data protection rights.
  • Legal Obligation: To comply with applicable laws and regulations.

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following limited circumstances:

  • With Healthcare Providers and Medical Aids: To facilitate patient verification, accurate billing, claims processing, and fraud prevention, strictly as necessary for the provision of our Services.
  • Service Providers: We may engage third-party companies and individuals to perform services on our behalf (e.g., data hosting, IT support, security services). These providers are contractually obligated to protect your information and may only use it for the purposes for which we disclose it to them.
  • For Legal Reasons: If required by law, subpoena, court order, or other governmental request, or to protect the rights, property, or safety of Medify AI, our users, or the public.
  • Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction, subject to the acquirer adhering to the commitments made in this Privacy Policy.
  • Aggregated or Anonymized Data: We may share aggregated or anonymized data (which cannot be used to identify you) for research, analytics, or industry reporting.

6. Our Commitment to Data Security: Safeguarding Your Information

Medify AI takes the security of your data, especially sensitive patient information, extremely seriously. We implement a multi-layered approach incorporating robust technical, administrative, and physical safeguards designed to protect your information from unauthorized access, use, disclosure, alteration, or destruction. These measures include:

Encryption:

  • Data in Transit: We use strong encryption protocols (e.g., TLS/SSL) to protect data transmitted between your device/healthcare provider systems and our servers.
  • Data at Rest: Sensitive personal information stored in our databases is encrypted using industry-standard encryption algorithms.

Access Controls:

  • Role-Based Access: Access to patient data is strictly limited to authorized personnel based on their job responsibilities and a "need-to-know" basis.
  • Strong Authentication: We enforce strong password policies and multi-factor authentication (MFA) for access to our systems containing sensitive data.
  • Audit Trails: We maintain comprehensive logs of access to and modifications of sensitive data to detect and investigate any unauthorized activity.

Network Security:

  • Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) are employed to protect our network infrastructure from external threats.
  • Regular vulnerability scanning and penetration testing are conducted to identify and remediate potential security weaknesses.

Data Minimization and Purpose Limitation:

  • We only collect and retain personal information that is necessary for the specific purposes outlined in this policy.
  • Data is processed only for the legitimate purposes for which it was collected.

Secure Development Practices:

  • Our software and systems are developed with security in mind, following secure coding practices and undergoing security reviews.

RFID Security (for in-hospital tracking):

  • RFID tags and readers are implemented with security features to prevent unauthorized scanning or cloning, where feasible and appropriate for the technology generation.
  • Data transmitted from RFID systems is secured.

Physical Security:

  • Our data centers (whether proprietary or through reputable cloud providers like AWS, Azure, Google Cloud) employ robust physical security measures to prevent unauthorized physical access.

Employee Training and Awareness:

  • All employees with access to personal information receive regular training on data privacy and security best practices, confidentiality obligations, and our internal policies.

Incident Response Plan:

  • We have an established incident response plan to address any potential data breaches or security incidents promptly and effectively, including notification to affected individuals and relevant authorities as required by law.

Third-Party Vendor Management:

  • We conduct due diligence on third-party service providers who may handle personal information on our behalf, ensuring they have adequate security measures in place and are bound by contractual data protection obligations.

Regular Audits and Reviews:

  • Our security measures and privacy practices are regularly reviewed and updated to adapt to new threats and evolving best practices.

While we strive to use commercially acceptable means to protect your Personal Information, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, while we implement extensive security measures, we cannot guarantee its absolute security.

7. Data Retention

We will retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, or as otherwise permitted or required by applicable law. For example, data related to medical billing may need to be retained for specific periods mandated by healthcare or financial regulations.

8. Your Data Protection Rights (e.g., under POPIA)

Depending on your jurisdiction and applicable law, you may have certain rights regarding your personal information, including:

  • The right to access: You can request copies of your personal information.
  • The right to rectification: You can request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
  • The right to erasure (right to be forgotten): You can request that we erase your personal information, under certain conditions.
  • The right to restrict processing: You can request that we restrict the processing of your personal information, under certain conditions.
  • The right to object to processing: You can object to our processing of your personal information, under certain conditions.
  • The right to data portability: You can request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
  • The right to withdraw consent: If we are processing your data based on your consent, you have the right to withdraw that consent at any time.

To exercise these rights, please contact us using the details provided below. We will respond to your request in accordance with applicable data protection laws.

9. International Data Transfers

Your information may be processed and stored in countries outside of your country of residence, including South Africa, where our servers or those of our service providers may be located. These countries may have data protection laws that are different from those in your country. We will take appropriate safeguards to ensure that your personal information remains protected in accordance with this Privacy Policy and applicable law.

10. Minors' Privacy

Medify AI understands that our Services will be used for the identity verification and tracking of individuals under the age of 18 ("Minors"). The collection and processing of a Minor's personal information through our Services is done with the explicit consent of a parent, legal guardian, or other competent person authorized to provide such consent on behalf of the Minor, in accordance with applicable laws such as the Protection of Personal Information Act (POPIA) in South Africa.

Consent: We require consent from a parent or legal guardian before collecting or processing the personal information of a Minor for the purposes of our Services. This consent is typically obtained by the healthcare provider or medical aid scheme facilitating the Minor's access to healthcare services that utilize Medify AI.

Information Collected: The personal information collected from Minors for verification and tracking purposes will be the same as that collected for adults, as outlined in Section 2 ("Information We Collect"), and is strictly limited to what is necessary for the provision of our Services.

Use of Information: A Minor's personal information is used for the same purposes as adult user data, as described in Section 3 ("How We Use Your Information"), primarily for patient verification, accurate billing, and fraud prevention.

Parental/Guardian Rights:

Parents or legal guardians have the right to:

  • Review the personal information we have collected from their child.
  • Request the correction of any inaccurate information.
  • Request the deletion of their child's personal information, subject to legal or contractual retention obligations (e.g., medical record retention requirements).
  • Withdraw their consent for future processing of their child's personal information.

To exercise these rights, the parent or legal guardian should contact us using the details provided in Section 12 ("Contact Us"). We may require verification of their identity and relationship to the Minor before processing such requests.

Direct Collection: We do not knowingly solicit or collect personal information directly from Minors without verified parental/guardian consent provided through the healthcare or medical aid process. If a parent or guardian becomes aware that their child has provided us with personal information outside of this authorized process, they should contact us immediately so we can take steps to remove such information.

By ensuring that a parent or legal guardian facilitates the use of Medify AI's services for a Minor and provides the necessary consent, we aim to protect the privacy of Minors in compliance with applicable laws.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on our website and updating the "Last Updated" date. We encourage you to review this Privacy Policy periodically for any changes.

12. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data handling practices, or if you wish to exercise your data protection rights, please contact us at:

Medify AI
privacy@medify.co.za