← Back to Home

Privacy Policy

Last Updated: January 2025

POPIA Compliant
Encrypted
Secure Storage
HPCSA Aligned

1. Introduction

MediScribe AI ("we", "us", "our") is committed to protecting your privacy and the confidentiality of patient health information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered medical documentation platform.

We are a Responsible Party under POPIA (Protection of Personal Information Act, 2013) and comply with all South African data protection laws, HPCSA (Health Professions Council of South Africa) guidelines, and international healthcare data security standards.

2. Information We Collect

2.1 Doctor/Practice Information

  • Name, email address, phone number
  • HPCSA registration number
  • Practice details (name, address, practice number)
  • Payment and billing information
  • Professional qualifications and specialties

2.2 Patient Health Information

Important: Patient information is processed on behalf of healthcare providers who remain the data custodians. We collect:

  • Patient demographics (name, date of birth, ID number, contact details)
  • Medical aid information (scheme, member number)
  • Voice recordings of consultations (with patient consent)
  • Transcribed consultation notes
  • SOAP notes, diagnoses, and treatment plans
  • ICD-10 codes and SAMA tariff codes
  • Prescription information
  • Medical history and consultation records

2.3 Technical Information

  • IP address, browser type, device information
  • Usage data (features used, time spent, actions taken)
  • Log files and analytics data
  • Cookies and similar tracking technologies

3. How We Use Your Information

3.1 Service Provision

  • Transcribe voice recordings to text using AI (OpenAI Whisper)
  • Generate SOAP notes from consultation transcripts
  • Suggest ICD-10 diagnosis codes and SAMA tariff codes
  • Create and manage digital prescriptions
  • Process medical aid claims electronically
  • Generate invoices and manage billing
  • Provide appointment scheduling and reminders

3.2 AI Processing

Voice recordings and consultation notes are processed by OpenAI's API to:

  • Convert speech to text (transcription)
  • Generate structured SOAP notes
  • Suggest medical codes and diagnoses
  • Translate between languages

Data Protection: OpenAI does NOT use customer data submitted via API to train their models. Audio recordings and transcripts are processed securely and are not retained by OpenAI beyond processing.

3.3 Platform Improvement

  • Improve AI accuracy and feature performance
  • Analyze usage patterns (anonymized)
  • Provide customer support and troubleshooting
  • Ensure security and prevent fraud

3.4 Communication

  • Send appointment reminders to patients (on behalf of doctors)
  • Send service updates and feature announcements
  • Respond to support inquiries
  • Process billing and payment notifications

4. Data Sharing and Third Parties

4.1 Service Providers We Use

  • OpenAI (USA): AI transcription and text generation. Covered by Data Processing Addendum (DPA). Data not used for training.
  • Supabase (USA): Database and authentication. SOC 2 Type II certified. Data encrypted at rest and in transit.
  • PayFast (South Africa): Payment processing. PCI-DSS compliant.
  • Resend (USA): Email delivery for appointment reminders and notifications.
  • Vercel (USA): Hosting infrastructure. Enterprise-grade security.

4.2 Medical Aid Schemes

We transmit claims data electronically to medical aid schemes (Discovery, Momentum, Bonitas, etc.) on behalf of healthcare providers. This includes patient demographics, diagnosis codes, and treatment details required for claims processing.

4.3 We Do NOT Share Data With:

  • Marketing or advertising companies
  • Data brokers or aggregators
  • Insurance companies (except for claims processing)
  • Any third party for commercial gain

4.4 Legal Disclosure

We may disclose information when required by South African law, court order, subpoena, or to protect rights, safety, or property. We will notify you unless legally prohibited.

5. Data Security

5.1 Security Measures

  • Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access, multi-factor authentication (MFA) available
  • Audit Logs: Complete audit trail of all data access and modifications
  • Database Security: PostgreSQL with row-level security, automated backups
  • Infrastructure: Hosted on enterprise-grade cloud infrastructure (Supabase, Vercel)
  • Monitoring: 24/7 security monitoring and intrusion detection

5.2 Data Location

Primary data storage: Supabase (AWS infrastructure, US region)
Backups: Encrypted backups stored in multiple geographic regions
Cross-border transfers: Governed by appropriate safeguards under POPIA Chapter 9

6. Your Rights Under POPIA

As a data subject in South Africa, you have the following rights:

  • Right to Access: Request a copy of your personal information we hold
  • Right to Correction: Request correction of inaccurate or incomplete data
  • Right to Deletion: Request deletion of your data (subject to legal retention requirements)
  • Right to Object: Object to processing for direct marketing or legitimate interests
  • Right to Portability: Request your data in a structured, machine-readable format
  • Right to Withdraw Consent: Withdraw consent for data processing at any time
  • Right to Complain: Lodge a complaint with the Information Regulator

To exercise your rights: Email us at privacy@mediscribe-ai.com with your request. We will respond within 30 days.

7. Patient Consent

Important for Healthcare Providers:

Doctors using MediScribe AI are responsible for obtaining informed patient consent before:

  • Recording consultations
  • Processing patient data with AI tools
  • Storing patient information on our platform
  • Sharing data with medical aid schemes for claims

We provide consent form templates to assist healthcare providers in obtaining proper patient authorization.

8. Data Retention

  • Patient Records: Retained for 6 years after last consultation (HPCSA requirement)
  • Audio Recordings: Stored for 30 days, then automatically deleted (unless doctor opts for longer retention)
  • Billing Records: Retained for 5 years (tax and accounting requirements)
  • Account Data: Deleted 30 days after account closure (unless legal retention applies)
  • Audit Logs: Retained for 2 years for security and compliance purposes

9. Children's Privacy

Our platform is designed for use by healthcare professionals. Patient data may include minors, which must be processed in accordance with POPIA and with appropriate parental/guardian consent.

10. International Data Transfers

Some of our service providers (OpenAI, Supabase, Vercel) are based in the United States. Data transfers are governed by:

  • Standard Contractual Clauses (SCCs)
  • Data Processing Agreements (DPAs)
  • POPIA Chapter 9 compliance for cross-border transfers
  • Equivalent or adequate data protection safeguards

11. Cookies and Tracking

We use cookies for:

  • Essential cookies: Authentication, security, session management
  • Analytics cookies: Usage patterns, performance monitoring (anonymized)
  • Preference cookies: Language settings, UI preferences

You can control cookies through your browser settings. Disabling essential cookies may affect functionality.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or platform notification at least 30 days before they take effect.

13. Contact Us

Information Officer (POPIA):

MediScribe AI (Pty) Ltd
Email: privacy@mediscribe-ai.com
Address: [Your Registered Business Address]

Information Regulator (South Africa):
Website: inforegulator.org.za
Complaints: complaints.IR@justice.gov.za

Important Notice

By using MediScribe AI, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please do not use our services.