Back to Legal Overview

Patient Privacy Notice

Last updated: 2025-11-18Version: 1.0

Patient Privacy Notice

The Vital Loop Platform is a tool that allows individuals living with chronic conditions (for example diabetes) ("patients") to record & track their health information, including blood glucose readings, & to choose whether and how to share this information with a clinician or other third party. To provide this service, we need to collect, process, store & in some cases share patient Personal Information & Special Personal Information (health information), as these terms are defined in the Protection of Personal Information Act No. 4 of 2013 ("POPIA").

This Patient Privacy Notice explains how Vital Loop (Pty) Ltd trading as Vital Loop ("Vital Loop", "we", "us", "our") collects, processes, stores & shares patient Personal Information & Special Personal Information when patients use our WhatsApp-based sign-up flow, web application & marketing website (together, the "App" or "Platform"). It should be read together with our main Privacy Policy.

We act as the Responsible Party of our end users' ("Data Subjects") Personal Information when an account is opened with Vital Loop using our WhatsApp-based sign-up flow, web application & marketing website. We process Personal Information & Special Personal Information (including health information) in order to provide our services to you.

This Patient Privacy Notice provides information on:

  • Expectations of patients & health practitioners
  • Children
  • Patient Information collected
  • Processing of Patient Information
  • Sharing of Patient Information
  • Patient privacy & confidentiality
  • Information security
  • Transborder flow of information
  • Retention of Patient Information
  • Electronic communications
  • Data breaches
  • Revisions to this Notice
  • Privacy queries
  • Information Officer

1. Expectations of patients & health practitioners

1.1 Patients

When you use the App, we expect & presume that:

  • You are providing your own Personal Information & Special Personal Information, or that you are lawfully authorised to provide the information of another person (for example a child in your care).
  • You understand that the App is a self-management & tracking tool for chronic conditions, & does not replace medical advice, diagnosis or treatment from a qualified health practitioner.
  • You understand that you control whether & how your data is shared with a clinician or other third party, using the sharing features available in the App or by exporting & sharing your information yourself.
  • It is not mandatory for you to supply all information requested in the App. However, if you do not provide certain information, some features of the App may not work as intended or we may not be able to provide the services you have requested.

1.2 Health practitioners

Where a clinician or other health practitioner ("Health Practitioner") uses or receives information from the App:

  • The Health Practitioner remains responsible under applicable healthcare & privacy laws for obtaining any necessary consent from the patient for the collection & use of their health information & for any medical advice or treatment they provide.
  • Health Practitioners are obliged to take steps to ensure that their patients are aware of how & why any of their information will be collected & processed, & where required, shared with third parties (including Vital Loop) in order to provide care.
  • Health Practitioners may explain this Patient Privacy Notice to patients or provide them with a copy, where relevant.

2. Children

We may process Personal Information & Special Personal Information of children under the age of 18 years for healthcare-related purposes where the App is used by, or on behalf of, a child living with a chronic condition.

Where a child uses the App directly, we expect that:

  • A parent or legal guardian has provided any required consent to the processing of the child's information, where such consent is required under POPIA or other applicable law; &
  • The parent or guardian is involved in decisions about whether & how the child's information is shared with any Health Practitioner or third party.

Where it is not reasonably practicable to obtain consent from a parent or guardian (for example where a child is under the care of the State), consent should be obtained from the guardian appointed to care for the child in accordance with applicable law.

We reserve the right to request, at any time, that a parent, guardian or Health Practitioner furnishes us with evidence of such consent having been obtained, where applicable.

3. Patient Information collected

3.1 Categories of information

When you register to use the App & during your use of the App, we may collect the following categories of Personal Information & Special Personal Information:

Identification & contact information

  • Name & surname
  • Mobile number (including your WhatsApp number)
  • Email address (where provided)
  • Basic profile information that you choose to provide (for example age range or year of birth, gender, primary chronic condition)

Health & monitoring information

  • Information about your chronic conditions (for example, type of diabetes) that you choose to record
  • Clinical monitoring data such as blood glucose readings & related values
  • Timestamps & notes associated with your readings or other health events
  • Information about whether & how you choose to share data with a clinician or other third party
  • Personal information related to health, treatment history & demographic data that can be used to develop a "user health profile" to add context to health readings captured by users for chronic conditions

Technical & usage information

We may collect technical & device information during the course of your use of the App to troubleshoot issues, maintain security & improve the App, including:

  • Device identifiers (for example a browser or device ID)
  • Browser type & version
  • Device operating system & version
  • Time zone & language settings
  • General location inferred from IP address (not precise GPS location)
  • Log information about how you use the App (pages viewed, features used, date & time of access)

Communications & interaction information

We may also collect:

  • Information you provide when you communicate with us by WhatsApp, email, chat, telephone or any other means
  • Information you input into the App, including your readings & related notes
  • Information contained in a public record or deliberately made public by you
  • Information we collect from another lawful source where permitted under POPIA (for example for law enforcement or regulatory purposes)

We do not collect or store the content of your private WhatsApp messages beyond what is necessary to operate the sign-in workflow & send reminders (such as message metadata & your WhatsApp number).

4. Processing of Patient Information

POPIA sets out eight conditions for the lawful processing of Personal Information ("the Eight Conditions"). Vital Loop is committed to complying with the Eight Conditions, including: Accountability, Processing Limitation, Purpose Specification, Further Processing Limitation, Information Quality, Openness, Data Security & Data Subject Participation.

The patient Personal Information & Special Personal Information that we collect, & the ways in which we process it, are necessary for us to:

  • Register you as a user & manage your account
  • Provide the Service, including recording, storing & displaying your health data (for example blood glucose readings) & related information
  • Send you secure sign-in links & other authentication workflows via WhatsApp &/or email
  • Send reminders to help you use the App regularly
  • Allow you to choose whether & how to share your data with a clinician or other third party
  • Prevent fraudulent or unauthorised use of the App
  • Improve our products & services & develop new products & services
  • Comply with legal & regulatory obligations

We may also use anonymised, aggregated data (data that does not identify you & that cannot reasonably be used to re-identify you) for research, statistical or analytical purposes, including to improve healthcare outcomes & our services. We will not publish or disclose anonymised data in any way that could reasonably be used to re-identify individuals.

5. Sharing of Patient Information

We will treat your Personal Information as private & confidential, & will only share it in accordance with this Patient Privacy Notice, our main Privacy Policy & applicable law.

5.1 Sharing initiated and controlled by you

Where you choose to share your data with a clinician or other third party (for example a treating doctor):

  • Such sharing is initiated & controlled by you using features in the App or by exporting & sharing your data yourself.
  • We will only share your Personal Information with those parties in accordance with your instructions & applicable law.

5.2 Sharing with third parties for our business purposes

We may disclose your Personal Information to third parties for legitimate business purposes, in accordance with applicable law & subject to appropriate confidentiality & security safeguards. These third parties may include:

  • Any person that works for us in the employ of Vital Loop, either as a permanent employee, director or contractor who needs access to such information to perform their duties
  • Companies & organisations that provide services to us, including secure technical infrastructure, hosting, database & authentication services (for example reputable providers such as Supabase), messaging services (for example WhatsApp), analytics, & web/app development & support
  • Our professional advisers, consultants & other similar service providers who assist us in operating our business
  • Legal & regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation
  • Any relevant party, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal rights
  • Any relevant party for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against & the prevention of threats to public security

If we engage a third party to process any of your Personal Information, the third party will be subject to binding contractual obligations to only process such Personal Information in accordance with our prior written instructions & to use measures to protect the confidentiality & security of such Personal Information.

5.3 Use of anonymised & de-identified information

We may share de-identified information, as defined in POPIA, with healthcare providers, healthcare establishments, universities &/or researchers for research purposes &/or for professional or research publication. This de-identified information is health information that has been anonymised, does not contain personally identifiable information & cannot reasonably be linked to a specific individual. Any such recipients are bound by appropriate confidentiality obligations & may not share or re-identify the data, and may only use it for the purposes for which it was provided. We will not disclose information that can reasonably be used to identify an individual in connection with our use of anonymised or aggregated data, except where required by law or with your explicit consent.

6. Patient privacy & confidentiality

We value each patient's privacy & strive to ensure patient confidentiality is maintained at all times. We will only collect, process, store & share patient Personal Information & Special Personal Information in accordance with this Patient Privacy Notice, our main Privacy Policy, applicable law & the terms of use of the App.

7. Information security

We place great importance on ensuring the security of your Personal Information. We regularly review & implement up-to-date technical & organisational security measures when processing your Personal Information. Employees, directors & contractors are trained to handle Personal Information securely & with respect, failing which they may be subject to disciplinary action.

Our Platform is developed using secure technologies with security by design & privacy by default principles at the forefront of its architecture. The Platform can only be accessed using appropriate access control mechanisms, including our WhatsApp-based sign-in workflow & secure magic links.

We utilise secure, reputable cloud-based hosting & database solutions (for example Supabase) to store & process your Personal Information. These providers implement recognised security standards to protect Personal Information in their environments. We take reasonable measures to:

  • Identify reasonably foreseeable internal & external risks to Personal Information in our possession or under our control
  • Establish & maintain appropriate safeguards against the risks identified
  • Regularly verify that the safeguards are effectively implemented
  • Ensure that the safeguards are continually updated in response to new risks or identified deficiencies

You are responsible for maintaining adequate security & control over any device, email account or WhatsApp number used to access the App, including using strong authentication methods where available & not sharing access with others, keeping your contact details up to date, & notifying us promptly in the event of unauthorised access.

We encourage users to use reputable anti-malware software & to remain alert to phishing or spoofing attempts, particularly via SMS, WhatsApp or email. If you receive a communication purporting to be from us & are unsure of its authenticity, you should contact us at support@vitalloop.co.za.

8. Transborder flow of information

We may transfer your Personal Information to recipients &/or hosting providers outside of the Republic of South Africa. Personal Information may be transferred to a third party outside of the Republic of South Africa provided that the third party is subject to a law, binding corporate rules or a binding agreement that provides an adequate level of protection for the Personal Information in line with this Patient Privacy Notice, our main Privacy Policy & POPIA, and the transfer is necessary in order to provide the services required by you.

You may withdraw your consent to us processing your information across borders; however, this may mean that we are no longer able to offer the Service to you.

9. Retention of Patient Information

We will retain patient information:

  • For as long as necessary to achieve the purpose for which the information was collected
  • Where retention of the record is required or authorised by law (including any applicable laws relating to health records)
  • Where retention is required for lawful purposes related to our functions or activities
  • Where retention of the record is required by a contract between the parties
  • Where you have consented to the retention of the record
  • For historical, statistical or research purposes if we have established appropriate safeguards against the records being used for any other purposes

We may retain your information in a de-identified manner for as long as we reasonably require for research & statistical purposes, provided such data cannot reasonably be used to identify you.

10. Electronic communications

To provide you with the agreed services, you accept & agree that:

  • Any communications, agreements, notices &/or any other documents ("Communications") relating to your account or your use of our products & services may be provided to you electronically by posting them on our website or web application, sending them via WhatsApp to the number you have provided, emailing them to the email address you have provided to us, or through any other form of electronic communication
  • You consent to receiving Communications electronically via these channels, including WhatsApp-based sign-in links & reminders to use the App
  • You will at all times have available to you the necessary hardware & software to receive, access & retain Communications sent to you electronically, including a device with an internet connection, access to WhatsApp (where applicable) &/or a valid and accessible email address
  • You assume full responsibility for providing us with valid & accessible contact details (including your WhatsApp number & email address, if provided) to which any Communications may be sent, and for ensuring that such contact information is kept up to date. Any Communication sent to the contact details you have provided to us will be deemed to have been received by you
  • You may at any time withdraw your consent to receiving Communications electronically by contacting support@vitalloop.co.za. You acknowledge that withdrawing consent for certain channels (for example WhatsApp) may prevent you from using parts of the Service that rely on those channels, such as sign-in workflows or reminders.

11. Data breaches

In the event of any privacy or security breach that is likely to result in any risk to your Personal Information &/or Special Personal Information, or to your rights & freedoms, we will notify you (where feasible) and the relevant regulatory authority as soon as we become aware of such breach, in accordance with POPIA.

You should also notify us immediately at support@vitalloop.co.za where you have reasonable grounds to believe that your account or data have been accessed or acquired by any unauthorised person so that we can assist in protecting your account where possible.

12. Revisions to this Notice

We may update this Patient Privacy Notice from time to time to reflect changes in our practices, legal or regulatory requirements, or improvements to our services. When we do so, we will post the updated Notice on our website & web application, and update the "last updated" date. Where required by law, we will notify you of material changes & may request your consent to such changes.

13. Privacy queries

If you have any questions or concerns about this Patient Privacy Notice, our handling of your Personal Information, or wish to exercise your rights under POPIA (for example to access, correct or delete your Personal Information), you may contact us at:

Email: support@vitalloop.co.za

14. Information Officer

Our appointed POPIA Officer is:

Name: Leo Hyera
Role: Director & POPIA Officer, Vital Loop (Pty) Ltd
Contact: support@vitalloop.co.za (marked for the attention of the POPIA Officer)

You may contact the POPIA Officer using the details above if you wish to:

  • Request access to Personal Information we hold about you
  • Request correction, deletion or restriction of your Personal Information, subject to lawful limitations
  • Object to certain processing activities
  • Lodge a complaint regarding our processing of your Personal Information