Privacy Policy

Last updated: April 2025

Welcome Desk ("we", "our", "us") is operated by WelcomeDesk (Pty) Ltd, a company registered in South Africa. We are committed to protecting the privacy of both the medical practices that use our platform ("Practices") and the patients who submit information through it ("Patients").

This Privacy Policy explains what information we collect, why we collect it, how we use it, and your rights in relation to it. By using Welcome Desk, you agree to the terms of this Policy.

1. Who This Policy Applies To

This Policy applies to two groups of people:

• Practice Users (owners, administrators, receptionists, doctors) who create and manage accounts on Welcome Desk.
• Patients who submit personal and medical information through a Practice's intake form.

2. Information We Collect

From Practices: Practice name, contact details, billing information, and staff account information (names, email addresses, roles).

From Patients: Full name, date of birth, South African ID number or passport number, contact details, home address, medical aid information, emergency contact details, medical history (conditions, medications, surgeries), and digital consent and signature.

3. How We Use Your Information

• To provide and operate the Welcome Desk intake platform to Practices.
• To store and display patient intake records to authorised Practice staff.
• To generate PDF exports of patient records on request.
• To manage subscription administration, invoicing, and billing communications with Practices.
• To send service notifications, billing reminders, and product updates to Practice Users.
• To comply with our legal obligations under the Protection of Personal Information Act (POPIA) and other applicable South African law.

We do not sell patient data. We do not use patient data for advertising, profiling, or any purpose other than providing the intake service to the Practice.

4. Legal Basis for Processing (POPIA)

Under POPIA, we process personal information on the following grounds:

• Contract performance: Processing necessary to provide the service to Practices under our subscription agreement.
• Consent: Patients provide explicit digital consent before submitting their information through the intake form.
• Legitimate interest: For billing, support, and service improvement purposes.
• Legal obligation: Where required by applicable law.

5. Data Storage and Security

Patient data is stored on secure, POPIA-compliant infrastructure provided by Supabase. All data is stored within data centres that meet applicable data protection standards.

Sensitive fields (including ID numbers, passport numbers, and medical aid member numbers) are encrypted at rest using AES-256-GCM encryption. Access to patient records is restricted to authorised staff of the relevant Practice through role-based access controls.

We implement industry-standard security measures including HTTPS encryption in transit, secure authentication, and activity audit logging.

6. Data Retention

Patient records are retained for a period of 5 years from the date of submission, in line with South African medical record retention requirements. After this period, records are eligible for deletion.

Practices may request deletion of patient records at any time by contacting us. Patients have the right to request deletion of their records from the Practice (as the Responsible Party under POPIA).

7. Sharing of Information

We do not sell or rent personal information. We share information only in the following limited circumstances:

• Service providers: We use Supabase (database and storage), Resend (email delivery), and Vercel (hosting). We may also work with local billing or payment partners chosen for South African practices. These providers are contractually bound to protect your data.
• Legal requirements: Where required by law, court order, or lawful authority.
• Business transfer: In the event of a merger, acquisition, or sale of assets, personal information may be transferred to the successor entity, subject to the same privacy protections.

8. Your Rights Under POPIA

You have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate information.
• Request deletion of your information (subject to legal retention requirements).
• Object to processing in certain circumstances.
• Lodge a complaint with the Information Regulator of South Africa.

To exercise any of these rights, contact us at checkin@welcomedesk.co.za.

9. Cookies

This website uses only essential session cookies required for authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Practice Users of material changes by email. Continued use of Welcome Desk after changes are published constitutes acceptance of the updated Policy.