Privacy policy
Effective date: 2025-10-01
Last updated on: 2025-10-06
1. About us
1.1.Synapp (Pty) Ltd (“Synapp”) is a private company registered and operating in accordance with the laws of the Republic of South Africa, situated at 2 De Beers Ave, Firgrove Rural, Cape Town, 7130.
1.2.Synapp provides a healthcare communication and data management platform designed to support clinicians, patients, and healthcare organisations.
2. About this Privacy Policy
2.1.The purpose of this policy (“Privacy Policy”) is to communicate how we process personal information relating to identifiable natural persons or existing juristic persons (collectively “Personal Information”), and to share certain information required in terms of the Protection of Personal Information Act 4 of 2013 (“POPIA”).
2.2.Health-related data is classified as special personal information under POPIA and receives additional protection. We process such information only for specified healthcare purposes, subject to your consent, contractual necessity, or legal obligation, and we do not use health-related data for unrelated or marketing purposes.
2.3.This Privacy Policy describes how we process Personal Information in providing healthcare communication and data management services (“Services”) through the Synapp (“WhatsApp Communication Channel”) and also applies to the use of our informational website located at https://synapp.co.za/ (“Website”).
2.4.We may update this Privacy Policy from time to time by publishing a revised version on our Website, which shall take effect on the date of publication. Please be sure to keep yourself up to date with our latest Privacy Policy.
2.5.This Privacy Policy should be read with any other agreements, terms, policies and the like published by us in relation to our Services. To the extent that any other binding document may conflict with our Privacy Policy, the former shall prevail.
2.6.Should you have any questions about this Privacy Policy or how we process your Personal Information, please contact us at privacy@synapp.co.za (“Privacy Mailbox”).
3. The types of Personal Information we process and how we obtain it
3.1.We take reasonable steps to ensure that the Personal Information we process is accurate, complete, and up to date. Where possible, we collect Personal Information directly from you or your authorised representative.
3.2.Please refer to Annexure A for a detailed description of the categories of Personal Information we process, including the purposes for which it is collected and the legal basis for such processing.
4. Your right to update, correct, or delete your information
4.1.You can update, correct, or delete Personal Information relating to your account with us by logging into your account on the Website at any time. The WhatsApp Service functions solely as a communication delivery mechanism and does not provide functionality for editing or managing your Personal Information.
4.2.If you wish to update, correct, or delete other Personal Information that you cannot update, correct, or delete on your account on the Website, you may contact us at our Privacy Mailbox.
5. Your right to object to the processing of your Personal Information
5.1.You have the right to object to the processing of your Personal Information where we are relying on your legitimate interests, our legitimate interests, or those of a third party to process the Personal Information.
5.2.You may also object generally to the processing of your Personal Information on reasonable grounds relating to your particular situation, for instance, where such processing negatively impacts your fundamental rights and freedoms.
5.3.If you wish to object to the processing of your Personal Information as described under this heading, kindly contact us at our Privacy Mailbox.
6. Consent requirements
6.1.Participation in Synapp requires your consent to:
6.1.1.receive educational resources and clinical assessments via the WhatsApp Service;
6.1.2.complete web-based assessments and consent forms (through the Website); and
6.1.3.allow limited emergency collateral notifications.
6.2.Research participation
6.2.1.You may separately consent to anonymised data being included in healthcare research databases and shared with academic or research partners.
6.2.2.Any research use of health-related data will only occur with explicit, separate consent, and such data will be anonymised or de-identified in line with applicable ethical and professional standards.
6.3.Minors
6.3.1.Where minors are involved, their health information will only be processed with the consent of a parent or legal guardian, and in accordance with POPIA Section 32 on the processing of health information.
6.3.2.Parents or legal guardians must complete onboarding for minors. Full parental control applies until the age of majority.
7. Storage and security of your Personal Information
7.1.We implement technical and organisational measures, in compliance with the requirements of applicable law, to ensure that the Personal Information in our possession remains confidential and secure against unauthorised or unlawful processing, and against accidental loss, destruction, or damage. Such measures include:
7.1.1.restricting access to Personal Information to authorised personnel only, based on a need-to-know basis;
7.1.2.the use of password protection and access controls on systems that process or store Personal Information;
7.1.3.encrypting Personal Information during transmission over public networks;
7.1.4.regular backups of Personal Information to prevent data loss;
7.1.5.the use of reputable third-party hosting and infrastructure providers who implement industry-standard security controls;
7.1.6.maintaining firewalls and antivirus or endpoint protection software on systems used in our operations;
7.1.7.logging and monitoring of system access to detect and respond to security events; and
7.1.8.ensuring that staff with access to Personal Information are bound by confidentiality obligations and receive basic data protection training.
7.1.9.Given the sensitive nature of health information, we apply additional safeguards to ensure its confidentiality, including adherence to healthcare ethical standards (such as HPCSA guidelines on patient confidentiality).
7.2.All data is hosted on the Google Cloud Platform (Firestore database) in the EUR3 multi-region (Belgium, Netherlands, Finland), located within the European Economic Area (“EEA”), which provides secure infrastructure for storage and processing.
7.3.You acknowledge and agree, however, that there are inherent risks to the security of data in the use of providing electronic transactional services. We accordingly do not guarantee that your data cannot ever be compromised, and you accept this risk by using our Website.
7.4.You are responsible for keeping your password to access the log-in portal on the Website confidential. Please do not share your password with anyone.
7.5.We will keep your Personal Information for only a reasonable amount of time, to enable us to use it for the purposes described in this Privacy Policy and in accordance with applicable law.
7.6.In the event of a data breach involving health-related information, we will notify affected users and the Information Regulator in accordance with POPIA’s breach notification requirements, including submission via the Regulator’s e-portal.
8. How we share your Personal Information
8.1.Subject to compliance with POPIA, we may disclose your Personal Information as required to render the Services to you, including disclosure to:
8.1.1.WhatsApp Business API (Meta Platforms): for one-way patient communications. WhatsApp processes names, mobile numbers, and message content for up to 30 days. Patients cannot reply via WhatsApp.
8.1.2.Google Cloud Platform (Firestore database): for secure data hosting in EU data centres (EUR3 multi-region).
8.1.3.Google Analytics: for anonymised usage analytics.
8.1.4.Paystack: for payment processing and subscription management (PCI DSS compliant).
8.1.5.Research partners: only with your explicit, separate consent, and in anonymised form.
8.2.Some of our third-party service providers are also located in the European Union, and accordingly your Personal Information may be transferred outside of South Africa. We will only do so, in accordance with POPIA, (1) once we have obtained your consent, (2) in order to render the Services to you in terms of a contract to which you are a party or which was concluded with a third party in your interest, or (3) where the recipient of the Personal Information is subject to a law, binding corporate rules, or binding agreement which adequately safeguards your Personal Information in a manner substantially similar to POPIA.
8.3.We use a cloud hosting and data storage provider, Google Cloud Platform (Firestore database) located within the EEA. Information processed within the EEA is subject to the level of protection provided by the General Data Protection Regulation (“GDPR”).
9. Disclosures
9.1.On rare occasions, we may be required to disclose your Personal Information because of legal or regulatory requirements. In such instances, we may disclose your Personal Information as required in order to comply with our legal obligations, including complying with court orders, warrants, subpoenas, service-of-process requirements, and/or discovery requests.
9.2.We may also disclose information about our users to law enforcement officers or others, in the good faith belief that such disclosure is reasonably necessary to enforce our terms of use or this Privacy Policy, or to protect our intellectual property rights or our personal safety or the personal safety of our users or the general public.
10. How to contact the Information Regulator
10.1.Section 74(1) of POPIA provides that any person may submit a complaint to the Information Regulator in the prescribed manner and form alleging interference with the protection of the Personal Information of a data subject.
10.2.Contact information of the Information Regulator:
| Postal address | JD House 27 Stiemens Street Braamfontein Johannesburg 2001 |
| Telephone number | +27 (0) 10 023 5200 |
| Fax number | 086 500 3351 |
| Email address | enquiries@inforegulator.org.za |
| Website | www.inforegulator.org.za |
Annexure A: Categories of Personal Information and processing purposes
Health information processed by Synapp is considered special personal information under POPIA. Such information is processed only with explicit consent, in accordance with healthcare ethics and professional confidentiality obligations, and subject to enhanced safeguards.
1. Information we collect when providing the Services (patients and collaterals):
| Type | Source | Voluntary or mandatory with legal basis for processing | Purpose of collection and consequences of failure to provide the information |
|---|---|---|---|
Technical Information for Website and WhatsApp Service functionality:
| Automatically collected when patients or collaterals access the Website or receive communications via WhatsApp. | Mandatory – Legitimate interest. | To ensure Website and Service security, authenticate accounts, monitor usage, prevent fraud, and optimise performance. If not provided, security and service reliability may be reduced. |
Registration and patient data:
| Provided directly by the patient during registration via the Website (either Google sign-in or direct account creation). | Mandatory – Performance of a contract / Voluntary – Consent. | To register a patient account, authenticate the patient, and enable communication through the WhatsApp Service. If not provided, the patient will not be able to register or use the Services. |
Health Information
| Provided directly by the patient via Website forms (linked from WhatsApp). | Voluntary – Consent. | To facilitate healthcare communication, provide support to clinicians, and enable clinical decision-making. If not provided, Services cannot be delivered. |
Collateral Contact Details
| Provided by the patient or guardian via the Website. | Voluntary – Consent. | To notify collaterals in emergencies, support guardianship requirements, and ensure patient wellbeing. If not provided, Emergency support will not be available. |
Research Data
| Derived by Synapp from existing data, anonymised. | Voluntary – Consent / Legitimate interest. | For academic research, development of healthcare databases, and benchmarking. Patient will not participate in research studies. |
2. Information we collect from Information we collect from clinicians, healthcare organisations, and administrative staff:
| Type | Source | Voluntary or mandatory with legal basis for processing | Purpose of collection and consequences of failure to provide the information |
|---|---|---|---|
Registration and clinician data:
| Provided directly by the clinician during registration via the Website (either Google sign-in or direct account creation, self-certified by the clinician). | Mandatory – Performance of a contract. | To validate and provide clinician access to the Services, to ensure clinicians self-certify their role in line with the terms of service. If not provided, the Clinician cannot participate in the Services. |
Technical Information for Website and WhatsApp Service functionality:
| Automatically collected when healthcare providers access the Website or receive communications via WhatsApp. | Mandatory – Legitimate interest. | To ensure Website and Service security, authenticate user access, monitor usage, prevent fraud, and optimise performance. If not provided, security and service reliability may be reduced. |
Administrative and billing data:
| Provided directly by the healthcare provider or organisation, or via Paystack. | Mandatory – Performance of a contract / Legal obligation. | For processing payments, managing subscriptions, maintaining billing records, and complying with financial regulations. If not provided, Services cannot be billed or provided. |