Privacy Policy

Effective Date: 1 September 2024

Last Updated: 02 January 2025

At Daniel da Cruz Physiotherapy Inc., we are committed to protecting your privacy and securing your personal information in compliance with the Protection of Personal Information Act (POPIA) and relevant South African health laws. This policy outlines our practices for handling your data when you visit our website (ddcphysiotherapy.co.za), book appointments via Bookem, or use our clinical services.

1. Information We Collect

We may collect:

  • Personal Information: Name, ID/Passport number, email address, phone number, and physical address when you book an appointment through our website or our practice management software (Bookem), submit a contact form, call us directly, or message us via WhatsApp at our business phone number (0631086029).
  • Health-Related Information: Medical history, injury details, and treatment plans provided for physiotherapy services. This information is initially recorded in physical form or via Bookem’s digital intake forms and subsequently transferred to secure digital storage. We collect health-related information only with your explicit consent, whether through online forms, phone, or WhatsApp communications.
  • Non-Personal Information: Website usage data, such as IP address, browser type, and pages visited, to improve our site’s functionality.
  • Cookies and Tracking Technologies: Our website may use cookies to enhance user experience, such as saving preferences or analyzing traffic. When you visit our website, a cookie banner will ask for your consent before placing non-essential cookies on your device. You can manage cookies through your browser settings.

2. How We Use Your Information

We use your information to:

  • Provide physiotherapy services, including managing appointments, treatment planning, and follow-up care primarily through our practice management platform, Bookem.
  • Maintain and store clinical records, including medical histories and treatment notes, securely on Bookem’s cloud-based platform and/or within Panacea for practice management.
  • Respond to inquiries or requests submitted through our website, email, direct phone calls, or WhatsApp messages.
  • Send appointment confirmations and reminders, which are automated via Bookem to help reduce no-shows and keep you informed of your scheduled visits.
  • Process direct patient billing, using Panacea to generate private invoices and FNB Business Banking to receive and reconcile your payments.
  • Analyze website usage to improve our site’s functionality and enhance your user experience.
  • Comply with legal obligations, specifically the Protection of Personal Information Act (POPIA) and HPCSA requirements for retaining medical records (typically for 6 years).

3. Sharing Your Information

We do not sell, rent, or trade your personal information. We only share it with specific, trusted third parties necessary to manage our practice operations and fulfill legal requirements:

  • Trusted Service Providers: We utilize third-party platforms that assist in our daily operations. These providers are contractually required to safeguard your data in compliance with POPIA:
    • Bookem: For clinical record management, patient profiling, and automated appointment scheduling.
    • Panacea: For internal practice management and generating private patient invoices.
    • FNB Business Banking: To process and reconcile patient payments securely.
    • Google & WhatsApp: For encrypted data storage (Google Drive) and professional communication with patients.
    • FluentCRM: For managing our newsletter subscriptions and tracking marketing consent.
  • Legal Obligations: We may disclose your information when required by law, such as to respond to a court order, legal process, or to protect the rights, safety, or property of Daniel da Cruz Physiotherapy Inc.
  • Business Transfers: In the event of a merger, sale, or business transfer, your information may be shared with the involved parties, provided you are given prior notice and your privacy rights remain protected.

4. Your Rights

Under the Protection of Personal Information Act (POPIA), you are entitled to specific rights regarding your data. To exercise any of these, please contact our Information Officer using the details provided in Section 11.

  • Access: You have the right to request a copy of the personal and health information we hold about you in our clinical systems, such as Bookem and Panacea.
  • Correction: You may request that we update or correct any inaccurate or incomplete information in your patient profile.
  • Deletion: You may request the deletion of your personal data. However, please note that as a healthcare practice, we are legally required by the HPCSA and the National Health Act to retain medical records for a minimum of 6 years. Deletion requests are subject to these mandatory retention periods.
  • Objection: You have the right to object to the processing of your data for specific purposes, such as receiving marketing communications or newsletters.
  • Portability: You may request that your data be provided in a structured, commonly used, and machine-readable format.
  • Complaints: If you feel your rights have been infringed, you have the right to lodge a complaint with the Information Regulator of South Africa.

5. Data Security

We prioritize the security of your personal and health information through a combination of physical, technical, and administrative measures:

  • Physical Security: Any clinical information initially recorded in physical form is stored in locked filing cabinets with restricted access until it is digitized. Once digitized, physical records are safely destroyed.
  • Practice Management Security (Bookem & Panacea): Your clinical notes and patient records are stored on Bookem and Panacea, which utilize industry-standard encryption and secure cloud-based hosting to prevent unauthorized access.
  • Digital Safeguards: Our administrative systems use Two-Factor Authentication (2FA) and full-disk encryption on all practice devices to protect your data at rest and in transit.
  • Communications: Information shared via phone calls or our business WhatsApp (0631086029) is handled with professional confidentiality and stored within our secure digital environment.
  • Data Breach Notification: In the unlikely event of a security compromise, we follow a strict incident response plan. We will notify the Information Regulator and affected individuals within 72 hours of discovery, providing details on the nature of the breach and steps taken to mitigate impact.
Download PAIA Manual

We implement reasonable technical and organizational measures to prevent loss, misuse, or unauthorized access. However, no system is entirely secure, and we cannot guarantee absolute security.

6. Third-Party Links and Services

Our website and practice operations rely on integrated third-party services to provide a seamless patient experience. These include:

  • Clinical & Scheduling Services: We use Bookem for online bookings and clinical record management.
  • Billing & Financial Services: We utilize Panacea for generating invoices and FNB for processing and receiving payments.
  • Communication & Marketing: We use WhatsApp for direct communication, FluentCRM for newsletters, and Google Drive for secure digital backups.

Please be aware that we are not responsible for the privacy practices of these third parties. When you interact with these services, your data is also subject to their respective privacy policies. We encourage you to review the privacy statements of Bookem, Panacea, FNB, Google, and WhatsApp to understand how they manage your information.

7. International Data Transfers

While we prioritize local data processing, some of your personal information may be transferred to and stored in countries outside of South Africa:

  • Local Processing: Our primary practice management and billing systems, Bookem and Panacea, as well as our banking through FNB, primarily process data within South Africa.
  • International Service Providers: Certain records are stored on Google servers located in the European Economic Area (EEA) or the United States, and communication data may be processed by WhatsApp.
  • Compliance Safeguards: We ensure these transfers comply with Section 72 of POPIA by utilizing Standard Contractual Clauses (SCCs), ISO 27001 certifications, or equivalent safeguards to ensure your data receives an adequate level of protection.
  • Explicit Consent: No personal data will be transferred to a country without adequate protection unless it is necessary for your treatment or you provide explicit consent.

8. Data Retention

We retain your personal information only as long as necessary for the purposes outlined above or as required by law:

  • Patient Clinical Notes: In accordance with the Health Professions Act and HPCSA guidelines, clinical notes are retained for a period of 6 years after the last consultation.
  • Invoices and Tax Records: These are retained for 5 years from the financial year-end to comply with South African tax legislation.
  • Marketing Data: Consent logs for newsletters or updates are retained until consent is withdrawn, at which point they are purged immediately.
  • Secure Destruction: Upon reaching these retention limits, all records are irreversibly destroyed—physical documents are shredded, and digital data on platforms like Bookem or Panacea is securely deleted or anonymized

9. Children’s Privacy

Our services are intended for individuals of all ages; however, we strictly adhere to legal requirements regarding the processing of personal information of children:

  • Consent for Minors: In the event that a patient is under 12 years of age or lacks legal capacity, all intake forms and medical consents must be completed and signed by a parent, legal guardian, or an authorized person in terms of Section 7(1)(c) of the National Health Act.
  • Data Collection: We do not knowingly collect personal information from children via our website or services without the explicit involvement and consent of a parent or guardian.
  • Retention: As specified in our PAIA Manual, medical records for minors are subject to specific retention rules, typically remaining stored until the individual reaches the age of majority.
  • Contact: If you believe we have inadvertently collected data from a child without the appropriate legal consent, please contact our Information Officer immediately so that we can take corrective action.

10. Changes to This Policy

We may update this Privacy Policy on a regular basis to reflect changes in our practice management systems, business operations, or legal requirements. Any updates will be posted directly to our website (http://ddcphysiotherapy.co.za) with a new effective date. We encourage you to review this policy periodically to remain informed on how we are safeguarding your personal information.

11. Contact Us

For questions, concerns, or to exercise your POPIA rights, contact:

Information Officer: Daniel da Cruz
Email: info@ddcphysiotherapy.co.za
Phone: 0631086029
Address: Shop L11, 135 Rivonia Road, Medical on Maude, Sandton, Gauteng, 2196