Back to Legal Overview

PAIA Manual

Last updated: 2026-01-21Version: 1.2

Vital Loop PAIA MANUAL

Prepared in terms of section 51 of the Promotion of Access to Information Act 2 of 2000 (as amended)

DATE OF COMPILATION: 17 November 2025
DATE OF REVISION: 21 January 2026

1. LIST OF ACRONYMS AND ABBREVIATIONS

  • CEO – Chief Executive Officer
  • DIO – Deputy Information Officer
  • IO – Information Officer
  • Minister – Minister of Justice and Correctional Services
  • PAIA – Promotion of Access to Information Act No. 2 of 2000 (as amended)
  • POPIA – Protection of Personal Information Act No. 4 of 2013
  • Regulator – Information Regulator
  • Republic – Republic of South Africa

2. PURPOSE OF PAIA MANUAL

This PAIA Manual is useful for the public to –

2.1 check the categories of records held by a body which are available without a person having to submit a formal PAIA request;

2.2 have a sufficient understanding of how to make a request for access to a record of the body, by providing a description of the subjects on which the body holds records & the categories of records held on each subject;

2.3 know the description of the records of the body which are available in accordance with any other legislation;

2.4 access all the relevant contact details of the Information Officer and any Deputy Information Officer who will assist the public with the records they intend to access;

2.5 know the description of the guide on how to use PAIA, as updated by the Regulator and how to obtain access to it;

2.6 know if the body will process personal information, the purpose of processing of personal information and the description of the categories of data subjects and of the information or categories of information relating thereto;

2.7 know the description of the categories of data subjects and of the information or categories of information relating thereto;

2.8 know the recipients or categories of recipients to whom the personal information may be supplied;

2.9 know if the body has planned to transfer or process personal information outside the Republic of South Africa and the recipients or categories of recipients to whom the personal information may be supplied; and

2.10 know whether the body has appropriate security measures to ensure the confidentiality, integrity and availability of the personal information which is to be processed.

3. KEY CONTACT DETAILS FOR ACCESS TO INFORMATION OF VITAL LOOP PROPRIETARY LIMITED

3.1 Information Officer

Name: Mr Leo Hyera
Position: Director & Information Officer (POPIA Officer)
Email: info@vitalloop.co.za

3.2 Access to information general contacts

Email: info@vitalloop.co.za

3.3 National or Head Office

Virtual organisation without a true National or Head Office
Email: info@vitalloop.co.za
Website: www.vitalloop.co.za

4. CATEGORIES OF RECORDS THAT ARE HELD AT THE OFFICES OF VITAL LOOP

Category of records Types of record
Administration records Attendance registers
Correspondence
Founding documents
Licences (categories)
Shareholder register
Statutory returns
Human resource records Conditions of service
Employee records
Employment contracts
Payroll records
Performance appraisals
Personnel guidelines, policies and procedures
Remuneration records and policies
Staff recruitment policies
Statutory records
Training records
Operations records (general business & platform operations) Brochures & information on Vital Loop
Client and user registry (including web app & WhatsApp onboarding users)
Contracts (including with service providers, partners & healthcare professionals)
General correspondence
Information relating to service usage & engagement
Information relating to work in progress & product development
Marketing records
Marketing and future strategies
Usage & engagement records for the web application and marketing website
Suppliers registry
Financial and related records Annual financial statements
Asset register
Banking records
Budgets
Contracts
Records of financial transactions
General correspondence
Insurance information
Internal audit records
Management accounts
Purchase and audit information
Tax records (company and employee)
Information technology records Central repositories, databases & backups (including those hosted with third-party providers such as Supabase)
System log files & audit trails
General IT correspondence
System architecture and configuration documentation
Information security policies and procedures

5. PROCESSING OF PERSONAL INFORMATION

5.1 Purpose of processing personal information

Personal information is processed by Vital Loop for various purposes, including, without limitation, the following:

5.1.1 To provide and improve Vital Loop's web application and related services, including:

  • onboarding users via WhatsApp;
  • sending secure "magic link" sign-in messages;
  • sending reminders and relevant messages to help users manage their chronic conditions; and
  • enabling users to record and track health data such as blood glucose readings and other measurements related to chronic conditions (for example, diabetes).

5.1.2 To establish, maintain and update user and customer records, including communication preferences & consent choices.

5.1.3 For purposes related to recruitment, selection, appointment and the administration of employment relationships.

5.1.4 To give effect to legal, regulatory and/or contractual obligations.

5.1.5 To support users in sharing their health information with healthcare professionals, where the user chooses to do so, and only in line with the user's instructions.

5.1.6 To generate anonymised and aggregated data sets for research, analytics & service improvement, provided that no information is disclosed that can reasonably be used to identify an individual. 5.1.7 To monitor, maintain and improve platform performance and reliability, including the use of analytics, session replay and error monitoring tools to diagnose issues. 5.1.8 To send internal operational notifications (for example, sign-ups, sign-ins, profile updates and feedback), including via Slack.

5.2 Description of the categories of data subjects and of the information or categories of information relating thereto

Vital Loop provides a web-based platform and marketing website that enables individuals living with chronic conditions to track and manage their health, including blood glucose and other relevant measures, and to share this information with healthcare professionals if and when they choose. Users typically sign up via WhatsApp and receive a secure "magic link" to access the web application.

Vital Loop acts as a Responsible Party (as defined in POPIA) in relation to the personal information that it processes through its web application, marketing website and associated communication channels (including WhatsApp). Users retain control over their information and may decide when and whether their information is shared with a healthcare professional.

The categories of data subjects and the personal information that may be processed include, without limitation, the following:

App users / patients (individuals using Vital Loop for chronic condition management)

Information that may be processed includes:

  • Name and surname
  • Contact information (mobile number, WhatsApp number and/or email address)
  • Age or date of birth
  • Gender
  • Unique identifiers (for example, internal user ID, medical record number where supplied by the user, or other identifiers selected by the user)
  • Information relating to chronic conditions (for example, diabetes)
  • Blood glucose readings and other health measurements entered by the user
  • Information about medications, treatment plans and lifestyle factors, where the user chooses to record this
  • Basic health information and medical history relevant to the chronic condition(s) being tracked
  • Information relating to comorbidities, existing conditions and current treatments, where supplied by the user
  • Information about when and how the user accesses the web app (for example, login timestamps, magic link usage)
  • Communication history relating to reminders, notifications and support (for example, WhatsApp message logs, email logs)
  • Consent records and sharing preferences (for example, which healthcare professionals the user has chosen to share data with, and for how long)
  • Precise GPS location where permission is granted (captured once for operational notifications and captured with readings for clinical context)

Healthcare professionals (where users choose to share their data with a doctor or other practitioner)

Information that may be processed includes:

  • Name and contact details
  • Professional registration number, where applicable
  • Practice or facility details
  • Communication and access logs relating to the user's shared health data

Customers/clients (for example, institutional customers or partners, if applicable)

Information that may be processed includes:

  • Name, address and contact details
  • Registration numbers or identity numbers (for natural persons)
  • Employment status, if relevant
  • Bank details and invoicing information

Service providers

Information that may be processed includes:

  • Names and contact details
  • Company information
  • Registration details (including professional or regulatory registrations, where applicable)
  • Banking and invoicing details

Employees and prospective employees

Information that may be processed includes:

  • Name, address and contact details
  • Qualifications and employment history
  • Demographic information (including gender and race, where required by law and/or for reporting)
  • Performance, remuneration and benefits information
  • Statutory and tax information

5.3 The recipients or categories of recipients to whom the personal information may be supplied

The categories of recipients to whom personal information may be supplied include, without limitation, the following:

  • Third-party service providers engaged by Vital Loop in connection with the operation of the web application, marketing website and associated services (for example, cloud hosting providers such as Supabase, communication platforms such as WhatsApp, analytics and session replay providers such as PostHog, error monitoring providers such as Sentry, internal communications and operational notification tools such as Slack, email services & similar vendors).
  • Professional advisers, consultants and auditors, to the extent necessary for them to provide services to Vital Loop.
  • Legal and regulatory authorities, to the extent required or permitted by law.
  • Any relevant party, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal rights or for the prevention, investigation, detection or prosecution of criminal offences.

Vital Loop may share anonymised and aggregated information (which does not identify individual users) for research, statistical analysis, public health insights, product development & similar purposes. In such cases:

  • Any information that can reasonably be used to identify a person (for example, name, surname, identity number, facial images, direct contact details) will be removed or protected;
  • Any information that can be used to directly communicate with a person (for example, phone numbers, email addresses) will not be included in published or shared research outputs; and
  • The information shared will only be used for lawful research or analytical purposes.

Vital Loop will otherwise treat all personal information as private and confidential and will not share it with other parties except:

  • where permission has been given;
  • where it is reasonably necessary to comply with any law, regulation, legal process or governmental request, to enforce Vital Loop's terms of use or other agreements, or to protect the rights, property or safety of Vital Loop, its users or others; or
  • where rights and obligations are transferred in terms of a lawful transaction (for example, a business sale or restructuring), subject to appropriate safeguards.

5.4 Transborder flows of personal information

Personal information collected through the Vital Loop platform may be transferred to, stored in, or otherwise processed in jurisdictions outside of the Republic of South Africa, where such transfer is necessary to enable Vital Loop to provide its services (for example, where cloud infrastructure or database providers such as Supabase host data in data centres located outside South Africa).

In accordance with section 72 of POPIA, such transborder transfers of personal information will only occur where the recipient third party, whether a natural or juristic person, located outside the Republic of South Africa is subject to:

5.4.1 applicable law; or
5.4.2 a binding agreement

which provides an adequate level of protection for the personal information that is substantially similar to the protections afforded under POPIA, and in accordance with the terms of this Manual and any applicable privacy notices.

The transfer of personal information across borders will be limited to what is strictly necessary for the provision of the requested services.

5.5 General description of information security measures to be implemented by the responsible party to ensure the confidentiality, integrity and availability of the information

Vital Loop places great importance on ensuring the security of all personal information and is obliged to prevent the loss of, damage to, or unauthorised destruction of personal information as well as the unlawful access to or processing of this information.

Information collected through the Vital Loop platform is securely stored using appropriate and reasonable technical and organisational measures, which may include:

  • hosting data with reputable cloud and infrastructure providers (including database services such as Supabase);
  • encryption of data in transit and at rest, where appropriate;
  • access controls and authentication mechanisms for staff and system components;
  • role-based access and least-privilege principles;
  • regular review of system logs and audit trails; and
  • internal policies and training relating to information security and data protection.

Vital Loop has taken reasonable measures to:

  • identify reasonably foreseeable internal and external risks to personal information in its possession or under its control;
  • establish and maintain appropriate safeguards against the risks identified;
  • regularly verify that the safeguards are effectively implemented; and
  • ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

Vital Loop is in the process of obtaining relevant accreditations and certifications from appropriate bodies. Details of such accreditations may be made available upon request once obtained.

5.6 Data breaches

In the event of any privacy or security breach of the Vital Loop platform or of any third-party systems used by Vital Loop that are likely to result in any risk to a user's personal information or to the user's rights and freedoms, Vital Loop will notify affected users and the relevant Regulatory Authority as soon as it becomes aware of such breach, where required by law.

Users and any healthcare professionals using the Vital Loop platform have also been advised to notify Vital Loop immediately where they have reasonable grounds to believe that their accounts or data have been accessed or acquired by any unauthorised person.

6. INFORMATION REQUEST PROCEDURE

  • The requester must use the prescribed form to make the request for access to a record. A request form is available upon request.
  • The request must be made to the Information Officer named in section 3 above. This request must be made to the electronic mail address of the business.
  • The requester must provide sufficient detail on the request form to enable the Information Officer to identify the record and the requester.
  • The requester should indicate which form of access is required and, if any other manner should be used to inform the requester, provide the necessary particulars.
  • The requester must identify the right that is sought to be exercised or to be protected and must provide an explanation of why the requested record is required for the exercise or protection of that right.
  • If a request is made on behalf of another person, the requester must submit proof of the capacity in which the requester is making the request to the satisfaction of the Information Officer.
  • The prescribed fee must be attached, where applicable.
  • Vital Loop will respond to the request within 30 days of receiving the request by indicating whether the request for access has been granted or denied.
  • The successful completion and submission of a request for access form does not automatically allow the requester access to the requested record.
  • Access will be granted to a record only if the following criteria are fulfilled:
    • the record is required for the exercise or protection of any right; and
    • the requester complies with the procedural requirements set out in PAIA relating to a request; and
    • access to the record is not refused in terms of any ground for refusal as contemplated in Chapter 4 of Part 3 of PAIA.

7. DENIAL OF ACCESS

Access to any record may be refused under certain limited circumstances. These include:

  • the protection of personal information held concerning any natural person;
  • the protection of commercial information held concerning any third party (for example, trade secrets);
  • the protection of financial, commercial, scientific or technical information that may harm the commercial or financial interest of any third party;
  • disclosures that would result in a breach of a duty of confidence owed to a third party;
  • disclosures that would jeopardise the safety or life of an individual;
  • disclosures that would prejudice or impair the security of property or means of transport;
  • disclosures that would prejudice or impair the protection of a person in accordance with a witness protection scheme;
  • disclosures that would prejudice or impair the protection or safety of the public;
  • disclosures that are privileged from production in legal proceedings, unless the privilege has been waived;
  • disclosures of details of any computer programme;
  • disclosures that will put Vital Loop at a disadvantage in contractual or other negotiations or prejudice it in commercial competition;
  • disclosures of any record containing any trade secrets, financial, commercial, scientific or technical information that would harm the commercial or financial interest of Vital Loop;
  • disclosures of any record containing information about research and development being carried out or about to be carried out by Vital Loop.

If access to a record or any other relevant information is denied, Vital Loop's response will include:

  • adequate reasons for the refusal; and
  • notice that the requester may lodge an application with the court against the refusal and the procedure, including details of the period for lodging the application.

8. AVAILABILITY OF THE MANUAL

8.1 A copy of this Manual is available–

8.1.1 on www.vitalloop.co.za;
8.1.2 at the head office of Vital Loop for public inspection during normal business hours;
8.1.3 to any person upon request and upon the payment of a reasonable prescribed fee; and
8.1.4 to the Information Regulator upon request.

8.2 A fee for a copy of the Manual, as contemplated in Annexure B of the Regulations, shall be payable per each A4-size photocopy made.

9. UPDATING OF THE MANUAL

The head of Vital Loop will, on a regular basis, update this Manual as and when necessary.

Issued by
Mr Leo Hyera – Director and Information Officer