Privacy Policy
This policy explains how DataNest (Pty) Ltd, trading as RolePilot, collects, processes, stores, and protects personal information under the Protection of Personal Information Act, 2013 ("POPIA"), the Electronic Communications and Transactions Act, 2002 ("ECTA"), and related law.
Contents
- Who we are
- Information we collect
- Purpose of processing
- Lawful basis for processing
- When we share information
- How long we keep information
- Security and access controls
- AI processing of clinical content
- Your rights as a data subject
- Cookies and analytics
- Children's data
- Cross-border data transfers
- Breach notification
- Information Officer and contact
- Changes to this policy
1. Who we are
RolePilot is a clinical operating system for South African private practice doctors, operated by DataNest (Pty) Ltd, a company registered in the Republic of South Africa. References to "we", "us", "our" or "RolePilot" in this policy mean DataNest (Pty) Ltd.
For the purposes of POPIA, RolePilot acts as a responsible party in respect of the personal information of registered users (the "users", typically practising doctors and authorised practice staff), and as an operator in respect of the patient information that users upload to or generate within the service. The relationship between RolePilot and a user with respect to that user's patient data is governed by an Operator Agreement that forms part of our terms of service.
2. Information we collect
2.1 Information about users
- Account identifiers: name, email address, mobile number, professional title.
- Professional credentials: HPCSA registration number, practice number, specialty.
- Practice information: practice name, billing address, VAT number where applicable, bank or card details for subscription payment (held by our payment processor, not by us directly).
- Authentication and security data: hashed passwords, session tokens, two-factor authentication seeds, device fingerprints.
- Usage and diagnostic data: feature interactions, error reports, AI generation counts for billing reconciliation.
- Communications with us: support tickets, feedback, correspondence.
2.2 Information that users upload about patients
Users upload or generate patient information within RolePilot in order to deliver clinical care. This may include:
- Identifying information: name, date of birth, sex, South African ID number, contact details.
- Medical aid information: scheme, plan, member number, dependant code.
- Clinical information: diagnoses, medications, allergies, chronic conditions, alerts, consult notes, AI-generated clinical packs, uploaded documents and images, audio recordings of consultations where consent has been captured, lab results, prescriptions, referrals.
- Appointment information: scheduled times, attendance, cancellations, no-shows.
- Communication records: SMS and WhatsApp messages exchanged between practice and patient through our integrated channels, including delivery status.
Patient information is stored under the controlling user's account, isolated from other users, and is only accessible to that user and to authorised members of the same practice (where the user has invited them).
3. Purpose of processing
We process personal information for the following purposes:
- Service delivery: providing the RolePilot service as the user has requested it, including AI-assisted clinical documentation, scheduling, patient record management, and communications.
- Account administration: registration, authentication, billing, support.
- Security and abuse prevention: detecting unauthorised access, fraud, malware, prompt injection attempts, and abuse of the service.
- Service improvement: aggregated and de-identified analytics, error monitoring, performance measurement.
- Legal and regulatory compliance: HPCSA, POPIA, SARS, anti-money-laundering, court orders.
- Communications: transactional emails (account, security, billing), and, only where explicitly opted in, product updates.
4. Lawful basis for processing
We rely on the following grounds under POPIA:
- Consent: where you create an account, where a patient consents to consultation recording, where a user opts in to non-essential communications.
- Performance of a contract: in order to provide the service you have subscribed to.
- Compliance with a legal obligation: to meet HPCSA, tax, and statutory record-keeping obligations.
- Protection of a legitimate interest: where processing is necessary for the security and integrity of the service and the interest is not overridden by your rights.
- Specific authority for special personal information: clinical information about identifiable patients is special personal information under POPIA Section 26. We process it under Section 32 (medical professional context) on behalf of the responsible practitioner.
5. When we share information
We do not sell personal information. We share information only with the categories of recipient listed below, under written agreements that bind the recipient to confidentiality, security, and purpose limitation requirements consistent with this policy and POPIA.
- Cloud infrastructure providers: hosting, database, file storage, content delivery. Selected for SA or jurisdictionally adequate data protection.
- AI model providers: services that perform machine learning inference for the AI features of the platform. AI providers are contractually prohibited from training on your inputs or outputs and from retaining content beyond the request lifecycle.
- Speech-to-text providers: services that transcribe consult audio when you use the consult recorder.
- Communications providers: SMS gateway, WhatsApp Business platform, email delivery — for messages you send to your patients via RolePilot.
- Payment processors: card and EFT payment infrastructure, for subscription billing.
- Professional advisors: lawyers, accountants, auditors, only as necessary.
- Law enforcement and regulators: where compelled by valid legal process or where necessary to protect rights, safety, or property.
- Acquirers and successors: in the event of a merger, acquisition, restructuring, or sale, in which case we will require equivalent privacy protections from the acquiring party.
A current list of named sub-processors is available on request to support@rolepilot.app. Sub-processors may change from time to time; we update the list and where the change has a material effect we provide reasonable advance notice.
6. How long we keep information
- User account information: for the duration of the subscription and for up to seven years after closure, in line with tax and HPCSA record-keeping requirements.
- Patient records uploaded by users: for the period determined by the controlling user, with a default retention of seven years from last interaction in line with HPCSA guidance. The user may configure a different retention period within statutory limits.
- Audit logs and access records: at least seven years.
- Aggregated, anonymised usage data: indefinitely.
- Marketing preferences: for as long as you remain subscribed and for two years thereafter to honour suppression.
On account closure, personal information is archived in encrypted cold storage for the applicable retention period, then permanently deleted. Patient information is exportable at the user's request before closure.
7. Security and access controls
We implement technical and organisational measures appropriate to the nature of the information we hold:
- Encryption in transit (TLS 1.3) on every connection.
- Encryption at rest using AES-256 for databases, file storage, and backups.
- Application-layer encryption for South African ID numbers, medical aid member numbers, and other high-sensitivity identifiers.
- Per-doctor data isolation enforced at the database access-rule level, not only at the application level.
- Per-patient access logs recording every read, write, and export with actor, timestamp, IP, and action.
- Two-factor authentication, mandatory for paid tiers from the Practitioner level upwards.
- Session timeouts and re-authentication for sensitive operations.
- Rate limiting and abuse detection.
- Regular review of staff access on a least-privilege basis.
- Incident response plan with defined detection, containment, and notification procedures.
8. AI processing of clinical content
RolePilot uses artificial intelligence models to assist users in producing clinical documents, transcribing consult audio, suggesting differentials, drafting reports, and similar tasks. The following safeguards apply to all AI processing within the service:
- No model training on your data. We do not train models on user-supplied content or on content generated within RolePilot, and we contractually prohibit our AI providers from doing so.
- No long-term retention by AI providers. Inputs and outputs are not retained by providers beyond the immediate request lifecycle.
- Pseudonymisation in logs. Diagnostic and prompt logs that we retain for debugging and quality assurance have direct identifiers replaced with hashes; the hashing key is salted per-user and not retained alongside the logs.
- Cross-provider verification. Outputs from high-stakes document categories (medico-legal reports, scheme motivations, prescriptions) are verified by a second model from an independent provider before being shown.
- Human-in-the-loop responsibility. Every AI-generated clinical output carries a disclaimer indicating that the treating practitioner is fully responsible for clinical decisions. AI output is a draft for the practitioner to review, edit, and accept or reject — it is never autonomous.
- Provenance. Every AI output has metadata recording which model produced it, with what context, at what time, for which patient, by which user.
9. Your rights as a data subject
Under POPIA, every data subject (including users and patients on whose behalf users interact with us) has the right to:
- Be notified that personal information is being collected, and where it is collected from a third party.
- Request access to a copy of personal information that we hold.
- Request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
- Object to processing on reasonable grounds, in particular for direct marketing purposes.
- Lodge a complaint with the Information Regulator (South Africa).
- Withdraw consent where consent was the lawful basis for processing.
For requests concerning user account information, contact us at support@rolepilot.app. We will respond within thirty days. We may need to verify your identity before fulfilling the request.
For requests concerning patient information uploaded by a user (a doctor or practice), the user is the responsible party; please direct the request to that practice. Where the practice cannot be reached or refuses, you may contact us and we will assist within the limits of our role as operator.
The Information Regulator can be reached at:
Information Regulator (South Africa)JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
enquiries@inforegulator.org.za
10. Cookies and analytics
RolePilot uses strictly necessary cookies for authentication, session management, and security. We use a small number of first-party analytics cookies to measure performance and detect errors; these do not identify you individually and we do not run cross-site advertising trackers. You can disable cookies in your browser; the service may not function correctly if essential cookies are blocked.
11. Children's data
RolePilot is a tool for healthcare professionals. Direct accounts may only be created by adult professionals (eighteen years and older). Patient records may, of course, contain information about children where the controlling user provides medical care to children; such records are processed under the user's lawful authority and the consent of a competent person under Section 35 of POPIA.
12. Cross-border data transfers
Some of our infrastructure providers (cloud hosting, AI models, communications) operate from outside the Republic of South Africa. Where we transfer personal information across borders, we do so only to recipients in jurisdictions that provide an adequate level of protection (in line with POPIA Section 72), or under contractual safeguards equivalent to those adequacy requirements, or with the explicit consent of the data subject for the specific transfer.
13. Breach notification
Where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, we will notify the Information Regulator and affected data subjects as soon as reasonably possible after discovery, in line with POPIA Section 22, providing a description of the incident, the categories of personal information affected, the steps we have taken or are taking to mitigate the impact, and recommended steps the data subject can take.
14. Information Officer and contact
DataNest (Pty) Ltd has appointed an Information Officer responsible for compliance with POPIA. Privacy queries, access requests, complaints, and breach notifications can be directed to:
Information Officer, DataNest (Pty) Ltdsupport@rolepilot.app
Johannesburg, South Africa
15. Changes to this policy
We will update this policy from time to time. The "Effective" date at the top reflects the latest revision. Where a change has a material effect on your rights, we will provide reasonable advance notice via email or in-app notice. Continued use of the service after the effective date of any change constitutes acceptance of the revised policy.