Privacy policy

1. Who we are

The Practiq platform is owned and operated by Starlight Group SA (Pty) Ltd, a private company incorporated in the Republic of South Africa, trading as “Practiq” (“Practiq”, “we”, “us”, “our”). Contact details appear in the final section of this policy.

2. Our role under POPIA

Practiq processes personal information in two distinct capacities.

• Operator (Section 1). Where a clinical practice uses Practiq to record information about its patients and staff, the practice is the Responsible Party and Practiq is the Operator. We process patient information only on the documented instruction of the practice and under the Data Processing Addendum at /popia.
• Responsible Party. For our own customer relationship with the practice (account creation, billing, support, marketing communications to staff who have opted in), we are the Responsible Party and process the information described below for our own legitimate purposes.

Patients should direct requests about their clinical information to the treating practice. The practice nominates an Information Officer at onboarding; their contact details are available on request from the practice.

3. Personal information we collect

We collect the following categories of personal information.

• Account information, name, work email, login credentials (passwords are stored as salted hashes; we never see the plain value), role within the practice, and authentication metadata (sign-in times, device fingerprints, IP).
• Practice operational information, practice name, location, profession, billing details, subscription plan, payment method tokens (held by our billing provider; we never store full card numbers), invoices issued by the practice.
• Patient personal information, only those fields the practice chooses to record: identifying information, contact details, medical aid identifiers, appointments, clinical encounters, conditions, medications, allergies, observations, forms, attachments, and (where the practice enables them) audio recordings and AI-generated drafts. Identifiers such as ID number and medical aid number are encrypted at the application layer with a per-tenant key.
• Communications, emails, in-app messages, and support tickets exchanged with us.
• Usage and diagnostic information, feature interactions, error reports, and performance telemetry. We never attach patient identifiers to this telemetry; user and tenant identifiers are the only links back to the account.
• Cookies and similar technologies, strictly necessary cookies for authentication and session persistence, plus first-party preferences (e.g. sidebar collapsed state). We do not use third-party advertising cookies on the application surface.

4. How we use personal information

We use personal information for the following purposes.

• Providing the Services. Operating the platform, authenticating users, hosting clinical and billing records, generating transcripts and AI drafts when the practice requests them, sending transactional communications (appointment confirmations, reminders, password resets, invoices, security notices).
• Supporting customers. Responding to enquiries, investigating incidents, and providing technical assistance.
• Securing the platform. Detecting and preventing fraud, abuse, and unauthorised access; maintaining the audit log; investigating suspected security incidents.
• Improving the Services. Aggregated, de-identified usage analysis. We do not use patient personal information to train any machine-learning model, and we do not allow our subprocessors to do so.
• Meeting legal obligations. Complying with POPIA, tax law, anti-money-laundering law, the National Health Act, and regulator requests.

5. Lawful basis for processing

For information processed on behalf of practices, our lawful basis flows from the practice's instruction, the patient's consent obtained by the practice, the practice's legitimate interest in delivering healthcare, and applicable medical retention obligations.

For information we process as Responsible Party, we rely on: contract performance (to provide the Services); legitimate interest (to secure and improve the platform); legal obligation (to meet regulatory requirements); and consent (where required, for example for product marketing emails to users who have opted in).

6. Sharing with third parties

We share personal information only with the following categories of recipient:

• Subprocessors who provide the underlying infrastructure, transcription, AI inference, payments, email, SMS, analytics, and error monitoring. The current list, the role of each provider, and the safeguards in place are published at /security.
• Other Users in the same practice, to the extent their role permits.
• Professional advisers (accountants, auditors, legal counsel) under written confidentiality obligations.
• Authorities where compelled by lawful process or where disclosure is necessary to protect life or to investigate a serious crime.
• A successor entity in the event of a merger, acquisition, restructuring, or sale of substantially all of our assets, subject to the protections of this policy continuing.

We do not sell personal information.

7. Cross-border transfers

Production data is hosted in the European Union (Republic of Ireland, eu-west-1). Some subprocessors operate in jurisdictions outside South Africa or the European Economic Area. Where personal information is transferred to a country that does not have a law providing for an adequate level of protection comparable to POPIA, we rely on the contractual safeguards in our agreements with those subprocessors that bind them to standards approximating Sections 19 and 21 of POPIA, in line with Section 72.

8. Retention

• Clinical records are retained for at least the period required by HPCSA guidance (typically ten years from the date of last entry, longer for minor patients). After deletion requests, identifying fields are anonymised but clinical history is retained de-identified, in line with regulatory expectations.
• Operational records (invoices, billing, audit logs) are retained for seven years to satisfy tax and POPIA-accountability requirements.
• Account information is retained for the duration of the relationship and for a reasonable period thereafter to handle reactivation requests and disputes (typically up to two years), then deleted or anonymised.
• Audio recordings and AI-generated drafts follow the same retention rules as the clinical records to which they attach.

9. Security

We maintain technical and organisational measures appropriate to the sensitivity of clinical information. These are described in detail at /security and include encryption in transit and at rest, application-layer encryption for sensitive identifiers, row-level isolation between tenants, role-based access control with least-privilege defaults, audit logging on every mutation, daily encrypted backups, and an externally tested incident-response process.

10. Your rights

Patients and Users in South Africa have the following rights under POPIA, exercised free of charge unless requests are manifestly unfounded or excessive:

• Access, to be told what personal information we hold and to receive a copy.
• Correction, to have inaccurate information corrected.
• Deletion, to have personal information destroyed or deleted, subject to retention obligations.
• Objection, to object to processing on reasonable grounds.
• Withdrawal of consent, where processing relies on consent, to withdraw it at any time, without affecting prior lawful processing.
• Complaint, to lodge a complaint with the Information Regulator of South Africa (inforegulator.org.za).

Patients should send requests to their treating practice. We will honour valid requests routed through the practice within thirty (30) days, sooner where reasonably possible. Users may exercise their rights directly with us via the contact details below.

11. Children's information

Minors' clinical records are processed by practices in the ordinary course of providing care. We rely on the practice to obtain the consent required under POPIA from a competent person before processing a child's personal information. Our Services are not directed to children for self-onboarding.

12. Marketing

We send transactional emails (essential for service operation) without separate consent. Product news, education content, and promotional emails are sent only to Users who have opted in. Each such message contains a one-click opt-out link.

13. Automated decision-making and AI

AI features in the platform generate drafts that support clinical practice. They do not autonomously decide on care, prescriptions, or billing. Every AI-generated artefact is presented to a practitioner for review and editing before it is finalised and cannot, by design, be issued without that review. We do not use patient personal information to train any model, and our AI subprocessors are contractually prohibited from doing so.

14. Changes to this policy

We may update this policy from time to time. Material changes will be announced through the in-app changelog and notified by email to account owners not less than thirty (30) days before they take effect. The “Last updated” date at the top of this page records the most recent revision.

15. Contact

Starlight Group SA (Pty) Ltd, trading as Practiq.
All enquiries, privacy, data subject requests, security disclosures, general support: support@starlightgroupsa.co.za.