โœ…

ELMED is currently in early access, we're on boarding our first doctors, pharmacies, and patients. Some features are still being refined. What this means for you โ†’

Privacy Policy

Last updated: 3 June 2026 · POPIA compliant

๐Ÿ”’ Elmed Health (Pty) Ltd is committed to protecting your personal information in accordance with the Protection of Personal Information Act (POPIA), Act 4 of 2013.

1. Who We Are

Responsible Party: Elmed Health (Pty) Ltd, Registration Number K2026/249265.

Information Officer: Elmo O'Reilly, registered with the Information Regulator of South Africa in terms of POPIA section 55 (Regulator Registration Number: 2026-022856). Contact at privacy@elmed.healthcare.

2. Information We Collect

  • Identity information: name, ID number, date of birth
  • Contact information: email address, phone number, physical address
  • Health information: medical history, diagnoses, prescriptions, lab results, vitals. This is Special Personal Information under POPIA.
  • Financial information: banking details for provider payouts; payment method tokens processed by payment processors and never stored by ELMED
  • Usage data: IP addresses, session data, audit logs for security and compliance
  • Medical aid information: scheme name, membership number, plan details

3. Why We Process Your Information

  • To facilitate healthcare consultations, prescriptions, and referrals
  • To process payments and manage medical aid claims
  • To send appointment reminders and health notifications (with your consent)
  • To comply with legal obligations under the HPCSA, SAPC, National Health Act, and NDoH regulations
  • To detect and prevent fraud and platform abuse
  • To improve platform features and user experience

4. Special Personal Information (Health Data)

Health information is Special Personal Information under POPIA section 26. We only process it with your explicit consent and only share it with: your chosen healthcare providers, your medical aid scheme (for claims), and as required by law (for example, notifiable conditions reporting to the NDoH).

5. Who We Share Your Information With

  • Healthcare providers you consult: doctors, pharmacies, labs, and specialists on the platform
  • Medical aid schemes: only for claim processing, with your authorisation
  • Payment processors: iKhokha, PayFast, and Yoco process payments under their own privacy policies. Card details are never stored by ELMED.
  • Email service providers: for transactional notifications only
  • We do not sell your personal information to any third party.

6. Operators and Data Processing Agreements

Healthcare providers who use the ELMED platform to process patient data (pharmacies, laboratories, and clinical practices) do so as operators under POPIA section 20. Elmed Health (Pty) Ltd enters into written Data Processing Agreements with these providers, setting out their obligations as operators. Operators may only process personal information in accordance with POPIA and the terms agreed with Elmed Health.

7. Data Security

We implement technical and organisational measures including: encrypted connections (HTTPS/TLS), hashed passwords, session-based authentication, role-based access controls, comprehensive audit logging, and regular security monitoring. Health records are accessible only to authorised providers directly involved in your care.

8. Data Retention

ELMED is a clinical data custodian. Our retention obligations are set by law and HPCSA guidance. The table below sets out the minimum retention periods we apply.

Record type Minimum retention period
Adult clinical records (consultations, diagnoses, prescriptions) 5 years from the last consultation
Minor patient records Until the patient turns 18, plus 7 years. A newborn's records may be retained for up to 25 years.
Consent records Duration of the patient relationship plus 5 years
Prescription and dispensing records 5 years from the date of issue
Billing and invoice records 5 years (South African Revenue Service requirement)
Security and audit logs 5 years
Non-clinical account data Deleted within 90 days of a verified deletion request where no legal retention obligation applies

Records are retained in a secure, accessible, and retrievable form. This is not simply a matter of storing the same files indefinitely. We take responsibility for maintaining the integrity, accessibility, and security of records across changes in technology, infrastructure, and cloud providers for the full retention period.

9. Platform Continuity and Cessation

Health records do not cease to be our responsibility if the platform changes ownership, restructures, or stops trading. The following commitments apply to all health records held by Elmed Health (Pty) Ltd.

If ELMED ceases trading

All health records will be transferred to a designated successor custodian or, where no suitable custodian exists, to the Information Regulator of South Africa. Records will not be destroyed while a legal retention obligation exists.

Who becomes custodian

In the event of a sale, merger, or restructuring, any acquirer or successor entity assumes the same data custodianship obligations. This requirement is a condition of any transfer of the business or its assets.

How patients are notified

We will notify registered patients by email at least 30 days before any planned transfer of custodianship. If advance notice is not possible due to insolvency or regulatory action, the Information Regulator will be notified and patients will be contacted as soon as practically possible.

How records are transferred

Records will be exported in a structured, portable format (including PDF and standard data formats) to either the successor custodian or directly to patients on request. Patients may request a full export of their records at any time via the patient portal.

Record retrieval after years

We maintain records in a format that remains retrievable and intelligible over the full retention period. This includes documented data formats, migration procedures, and backup verification. A patient or provider requiring historical records may contact us at privacy@elmed.healthcare.

Funding of ongoing retention

Long-term record retention is a planned operational obligation. It is budgeted for as part of our operating costs. In the event of insolvency, provision for record retention will be included in any liquidation or business rescue proceedings.

10. Your Rights Under POPIA

  • Access: request a copy of your personal information
  • Correction: request correction of inaccurate information
  • Deletion: request deletion of your data, subject to legal retention requirements
  • Objection: object to processing for direct marketing
  • Portability: download a structured copy of your personal information at any time via the patient portal
  • Complaint: lodge a complaint with the Information Regulator at inforeg@justice.gov.za

Submit POPIA requests from your patient portal under Settings → POPIA & Privacy, or email privacy@elmed.healthcare.

11. Cookies

We use only strictly necessary session cookies for authentication. We do not use advertising cookies or third-party tracking.

12. Changes to This Policy

We will notify registered users by email of any material changes to this policy. Continued use of the platform after notification constitutes acceptance.

13. Contact

Information Officer: Elmo O'Reilly
Elmed Health (Pty) Ltd (Reg. No. K2026/249265)
Email: privacy@elmed.healthcare

Information Regulator of South Africa: inforeg@justice.gov.za · 010 023 5207 · JD House, 27 Stiemens Street, Braamfontein, Johannesburg

Terms of Service Back to Home