Privacy Policy

Effective date: 1 January 2026

1. Introduction

Dr D.S. Grieve ("we", "us", "our") is committed to protecting your personal information in accordance with the Protection of Personal Information Act, 4 of 2013 (POPIA) and applicable health information privacy standards. This Privacy Policy explains how we collect, use, store, and protect your information when you interact with us, whether through:

•Our practice website and in-clinic consultations in Centurion;

•The Dr DS Grieve medical weight-loss programme (web and mobile applications); or

•Any other channel (email, phone, WhatsApp) through which we provide care.

By engaging with our services, you consent to the collection and processing of your personal and health information as described in this Policy.

2. Information We Collect

We collect the following categories of information:

2.1 Identity and Contact Information

•Full name and South African ID number

•Date of birth and gender

•Email address and mobile phone number

•Residential address

2.2 Medical and Health Information

•Current weight, height, BMI, and waist circumference

•Medical history including chronic conditions and current medications

•Allergies and previous adverse drug reactions

•Contraindication screening results

•Monthly check-in data including weight, side effects, and adherence

•Injection logs including medication, dose, and administration date

•Prescribed medications and dose protocols

•Progress photos (if submitted voluntarily)

2.3 Financial Information

•Payment records and receipts (payment card details are not stored by us)

•Order history and delivery addresses

2.4 Technical Information

•Device type, operating system, and app version

•IP address and general location (province level)

•App usage data and screen navigation (via Firebase Analytics)

•Push notification tokens (for appointment reminders)

•Crash and error reports (via Firebase Crashlytics)

2.5 Lifestyle Information

•Sleep habits, exercise frequency, alcohol use, and smoking status

•Weight loss goals and treatment commitment levels

3. How We Use Your Information

We use your information for the following purposes:

•To provide medical weight-loss services including screening, prescribing, and monitoring

•To communicate with you about your treatment, orders, and account

•To process payments for consultations, medications, and delivery

•To generate and store digital prescriptions in compliance with HPCSA requirements

•To send injection and check-in reminders via push notification or SMS

•To monitor your clinical progress and adjust your treatment plan

•To maintain audit trails for HPCSA compliance and medico-legal purposes

•To improve the App and our services through anonymised analytics data

•To respond to support queries and resolve disputes

•To comply with our legal obligations under South African law

4. Legal Basis for Processing

We process your personal information on the following lawful bases under POPIA:

•Consent: You provide explicit consent during onboarding for the processing of your personal and health information for medical care purposes.

•Contract: Processing is necessary to provide the services you have contracted for.

•Legal Obligation: We are required by law (HPCSA regulations, National Health Act) to maintain certain medical records.

•Legitimate Interest: For service improvement, fraud prevention, and platform security, balanced against your privacy interests.

5. Storage and Security

Your information is stored securely using the following measures:

•All data is stored on encrypted servers within cloud infrastructure (AWS)

•South African ID numbers are encrypted using AES-256 before database storage

•Medical files (prescriptions, lab results) are stored in AWS S3 with server-side encryption

•All API communications are secured using TLS/HTTPS

•Access tokens are stored in encrypted device storage (not in plain text)

•Access to your records is restricted to your treating doctor and authorised platform staff

•All staff access to patient data is logged in an immutable audit trail

While we implement industry-standard security measures, no system is completely immune to security breaches. We will notify you promptly in the event of a breach that affects your personal information, in accordance with POPIA requirements.

6. Data Retention

We retain your personal information for the following periods:

•Medical records: 6 years from the date of last treatment, as required by the National Health Act and HPCSA guidelines.

•Financial records: 5 years from the date of transaction, as required by the Tax Administration Act.

•Account data: For the duration of your account plus 3 years after deletion.

•Anonymised analytics data: Retained indefinitely as it cannot be linked back to any individual.

After the applicable retention period, your data is securely deleted or anonymised.

7. Sharing of Your Information

We do not sell your personal information. We may share your information only in the following limited circumstances:

•Medical necessity: With other healthcare providers if you are referred for specialist care or if clinically indicated, with your consent.

•Service providers: With trusted third parties who assist in operating the App (payment processing, email delivery, cloud hosting, analytics). These providers are contractually obligated to protect your data and may not use it for their own purposes.

•Legal requirement: Where required by law, court order, or to protect the rights and safety of individuals.

•Referral agents: If you were referred by a registered referral agent, they may see limited data (your name and referral status). They do not have access to your medical information.

Our key service providers include:

•AWS (Amazon Web Services) — cloud hosting and file storage (South Africa region)

•Resend — transactional email delivery

•PayFast — payment processing

•Firebase (Google) — push notifications, analytics, and crash reporting

8. Your Rights Under POPIA

Under the Protection of Personal Information Act, you have the following rights:

•Right to access: Request a copy of the personal information we hold about you.

•Right to correction: Request correction of inaccurate or incomplete information.

•Right to deletion: Request deletion of your account and personal information, subject to our legal retention obligations.

•Right to object: Object to the processing of your information for specific purposes (e.g., marketing analytics).

•Right to withdraw consent: Withdraw your consent to processing at any time, which will result in the termination of your treatment and account.

•Right to complain: Lodge a complaint with the Information Regulator of South Africa if you believe your rights have been violated.

To exercise any of these rights, contact us at support@drdsgrieve.co.za or use the "Request Account Deletion" function in your Profile settings within the App. We will respond within 30 days.

9. Children's Privacy

The App is not intended for use by persons under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that we have collected information from a minor, we will delete it promptly. If you believe a minor has provided us with information, please contact us immediately.

10. Firebase Analytics and Tracking

We use Firebase Analytics (provided by Google) to understand how users interact with the App. This data is anonymised and aggregated — we cannot identify you personally from analytics data.

Firebase Analytics collects: screen views, app events (login, medication order, check-in submission), device type, and operating system. No medical information is included in analytics events.

Firebase Crashlytics collects crash reports and technical diagnostics to help us identify and fix bugs. Crash reports may contain device information and app state at the time of the crash.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes via the App or email at least 14 days before they take effect. Your continued use of the App after changes take effect means you accept the updated Policy.

12. Information Regulator

If you are not satisfied with our handling of your personal information, you have the right to lodge a complaint with the Information Regulator of South Africa:

The Information Regulator (South Africa)
Email: inforeg@justice.gov.za
Tel: 010 023 5207
Website: www.justice.gov.za/inforeg/

13. Contact Us

For privacy-related queries, to exercise your rights, or to report a concern:

DS GRIEVE Medical Weight Loss
Information Officer: Dr D.S. Grieve
Email: support@drdsgrieve.co.za
HPCSA No: 0466352
Practice No: 1562207