POPIA and data processing

1. Overview

The Protection of Personal Information Act, 2013 (“POPIA”) governs the processing of personal information in South Africa. This page describes how Starlight Group SA (Pty) Ltd, trading as “Practiq” (“Practiq”), supports practices in meeting their POPIA obligations, and sets out the Data Processing Addendum (“DPA”) that forms part of every customer relationship.

2. Roles

Under Section 1 of POPIA, the clinical practice using Practiq is the Responsible Party for the personal information of its patients and staff. Practiq is the Operator: we process personal information only on the practice's documented instructions and only for the purpose of delivering the platform.

For our own customer relationship with the practice (account, billing, support), Practiq is itself a Responsible Party. The Privacy Policy at /privacy explains that processing in detail.

3. Information Officer

Section 56 of POPIA requires every Responsible Party to designate an Information Officer. Each practice records its Information Officer at onboarding; the field is editable in the practice settings and may not be left blank. Practiq's own Information Officer can be reached at support@starlightgroupsa.co.za.

4. Sections of POPIA we directly implement

• Section 15 (further processing). Where the practice enables the AI scribe, every recording requires explicit per-encounter patient consent. The consent script is editable in the practice settings and is captured and stored alongside the recording.
• Section 19 (security safeguards). Technical and organisational measures are documented in detail at /security.
• Section 21 (Operator obligations).We process personal information only with the practice's authorisation, treat it as confidential, and notify the practice of breaches in line with Section 22.
• Section 22 (notification of breach).Where we have reasonable grounds to believe personal information has been accessed or acquired by an unauthorised person, we notify the practice's Information Officer as soon as reasonably possible and in any event within seventy-two (72) hours of identifying the breach. The notification includes the nature of the compromise, the data categories affected, the measures we have taken, and the steps the practice may wish to take.
• Section 23 (access and portability). Every patient record can be exported as a machine-readable archive (JSON plus attached documents) from the patient detail page.
• Section 24 (correction and deletion). A patient may request correction or deletion of their personal information. Deletion is implemented as a thirty (30) day grace period (during which the practice may cancel the request, for example if the patient is in active treatment), followed by automatic anonymisation of identifying fields. Clinical history is retained de-identified for the HPCSA-mandated period.
• Section 25 (notification of refusal). Where we or the practice refuse a data subject request, the data subject is given written reasons and informed of the right to complain to the Information Regulator.
• Section 72 (cross-border transfers). Production data is hosted in the European Union. Sub-operators in other jurisdictions are bound by contractual safeguards approximating POPIA standards.

5. Data Processing Addendum

The following Data Processing Addendum (“DPA”) is incorporated into the Terms of Service at /terms. By using the Services, the practice and Practiq are taken to have agreed to it. A signed PDF copy is available at /api/legal/dpa for the practice to counter-sign for its own records.

6. DPA, definitions

Capitalised terms not defined in this DPA take the meaning given to them in POPIA or in the Terms of Service. “Operator” means Starlight Group SA (Pty) Ltd. “Responsible Party” means the practice. “Personal Information” has the meaning given in Section 1 of POPIA.

7. DPA, subject matter, duration, nature and purpose

The Operator processes Personal Information of the Responsible Party's patients and staff for the purpose of providing the Practiq software-as-a-service platform. Processing continues for the duration of the active subscription, plus any retention period required by law or by the Responsible Party's clinical retention obligations.

8. DPA, categories of data subjects and Personal Information

Data subjects: patients of the Responsible Party and the Responsible Party's staff. Categories of Personal Information: identifying information (name, date of birth, identity number), contact details, medical aid identifiers, clinical history (encounters, conditions, observations, medications, allergies, attached documents), audio recordings (where enabled), and AI-generated drafts (where enabled).

9. DPA, Operator obligations

The Operator undertakes to:

• process Personal Information only on the documented instructions of the Responsible Party, except where required to do otherwise by South African law (in which case the Operator will inform the Responsible Party unless that law prohibits it);
• treat Personal Information as confidential;
• ensure that persons authorised to process Personal Information are under appropriate confidentiality undertakings;
• implement and maintain the technical and organisational measures described at /security;
• notify the Responsible Party of any actual or reasonably suspected security compromise affecting the Personal Information without undue delay and in any event within seventy-two (72) hours of identification;
• assist the Responsible Party, taking into account the nature of the processing, in fulfilling its obligations to respond to data subject requests under POPIA;
• on termination of the Services, delete or return all Personal Information at the Responsible Party's choice, save for copies required to be retained by law.

10. DPA, sub-operators

The Responsible Party authorises the Operator to engage the sub-operators listed at /security. The Operator will give the Responsible Party at least thirty (30) days' advance notice (by an in-app announcement and an email to the account owner) before adding or replacing a sub-operator that materially affects the processing of Personal Information. The Responsible Party may object on reasonable grounds; if the Operator cannot accommodate the objection, the Responsible Party may terminate the affected portion of the Services on written notice.

The Operator remains responsible to the Responsible Party for the acts and omissions of its sub-operators in respect of Personal Information.

11. DPA, international transfers

Where Personal Information is transferred to a country that does not have a law providing for an adequate level of protection that is substantially similar to POPIA, the Operator relies on the contractual safeguards in its agreements with sub-operators which bind those sub-operators to standards approximating Sections 19 and 21 of POPIA. Section 72(1)(a) of POPIA accordingly applies.

12. DPA, assistance with data subject rights

The Operator provides in-platform tooling that enables the Responsible Party to respond to access requests (Section 23) and deletion requests (Section 24) within the statutory timeframes. Patient data export produces a machine-readable archive containing all stored fields plus attached documents. Deletion proceeds in line with Section 4 of this page.

13. DPA, audit and inspection

On reasonable written notice and at the Responsible Party's cost, the Operator will make available the information necessary to demonstrate compliance with this DPA and POPIA. Where the Responsible Party wishes to verify compliance, the Operator may propose a mutually acceptable independent auditor in place of an on-site inspection. Audit information is provided under confidentiality obligations and may be limited where disclosure would compromise the security of other customers or breach an obligation of confidence owed to a third party.

14. DPA, return and deletion of data

On termination, the Responsible Party may export Personal Information from the platform for thirty (30) days. After that period, the Operator deletes or irreversibly anonymises Personal Information, retaining only what is required by law (notably HPCSA-mandated clinical record retention) on a strictly limited basis.

15. DPA, liability and order of precedence

Each party's liability under this DPA is subject to, and forms part of, the aggregate liability cap and exclusions set out in the Terms of Service. In the event of conflict between the Terms of Service and this DPA in relation to the processing of Personal Information, this DPA prevails.

16. DPA, term and governing law

This DPA runs concurrently with the Terms of Service and is governed by the laws of the Republic of South Africa. The parties submit to the non-exclusive jurisdiction of the High Court of South Africa.

17. Retention summary

• Clinical records, retained for at least ten (10) years from the last entry, longer for minor patients, in line with HPCSA guidance. Deletion requests result in anonymisation, not destruction, of clinical history.
• Operational records (invoices, billing, audit logs), seven (7) years.
• Account information, duration of the relationship plus up to two (2) years.

18. Contact

All enquiries, privacy, data subject requests, security disclosures: support@starlightgroupsa.co.za.
Information Regulator of South Africa: inforegulator.org.za.