Privacy Policy
Effective date: April 2026
Version 1.0
Metabolic Doc (Pty) Ltd
This Privacy Policy explains how Metabolic Doc (Pty) Ltd and the treating physician ("we", "us", "our") collect, use, store, and protect your personal information when you use our telehealth services. It applies to all information gathered through our website, intake forms, video consultations, and communications.
Health information is classified as Special Personal Information under the Protection of Personal Information Act 4 of 2013 (POPIA) and receives the highest level of protection. By using our services, you confirm that you have read and understood this policy.
1. Who We Are
Trading nameMetabolic Doc
Legal entityMetabolic Doc (Pty) Ltd
RegistrationRegistered in the Republic of South Africa
Information OfficerDr [Surname] — registered with the Information Regulator
Contact emailinfo@metabolicdoc.co.za
The treating physician operates as a registered medical practitioner under the Health Professions Council of South Africa (HPCSA) and is bound by the HPCSA's ethical and confidentiality obligations in addition to POPIA.
2. Information We Collect
2.1 Personal Information
- Full name, date of birth, sex assigned at birth
- Contact number and email address
- Province of residence
- ID number (where required for prescription purposes)
2.2 Special Personal Information (Health Data)
- Current weight, height, and BMI
- Medical history, existing diagnoses, and chronic conditions
- Current medications and supplements
- Relevant family medical history
- Clinical assessment notes from your physician
- Prescriptions issued
- Progress notes from renewal consultations
2.3 Technical Information
- IP address and browser/device type (collected automatically by our web hosting)
- Form submission timestamps
- Video consultation metadata (duration, date, connection quality)
3. Why We Collect Your Information
We collect and process your information for the following lawful purposes:
- To assess your clinical eligibility for GLP-1 therapy
- To provide you with a telehealth consultation by a registered physician
- To issue a valid e-prescription where clinically appropriate
- To manage script renewals and monitor your progress
- To comply with our obligations under the National Health Act, HPCSA guidelines, and SAHPRA regulations
- To communicate with you regarding your care
- To maintain accurate medical records as required by law
We do not collect your information for advertising, marketing profiling, or any purpose unrelated to your direct medical care.
4. Our Lawful Basis for Processing
Under POPIA, we process your personal information on the following grounds:
ConsentYou provide explicit, written consent through our intake form before any personal or health data is collected. This consent is recorded with a timestamp and your typed name.
Contractual necessityProcessing is necessary to provide you with the medical service you have requested and paid for.
Legal obligationWe are required by the National Health Act (Act 61 of 2003) and HPCSA guidelines to maintain medical records, and by SAHPRA to comply with prescription regulations.
Legitimate interestMaintaining clinical records for continuity of care and patient safety.
5. How We Store and Protect Your Information
We take the security of your health information seriously. The following measures are in place:
- Patient intake forms are stored in an access-controlled, encrypted cloud environment
- Video consultations are conducted over encrypted, POPIA-appropriate platforms
- E-prescriptions are transmitted directly to you via secure email
- Access to patient records is restricted to the treating physician only
- We do not store your information on personal devices or unencrypted systems
- Third-party processors (see Section 7) have signed data processing agreements
Despite these measures, no digital system is completely infallible. In the event of a data breach, we will notify both the Information Regulator and affected patients as soon as reasonably possible, in accordance with POPIA Section 22.
6. How Long We Keep Your Information
Medical records are retained for a minimum of five (5) years from the date of last treatment, as required by the National Health Act. After this period, records are securely and permanently destroyed.
If you withdraw consent and request deletion before this period, we will retain only the minimum information required to comply with our legal obligations (such as proof that a consultation took place and a prescription was issued) and will securely delete all other data.
7. Who We Share Your Information With
We do not sell, rent, or trade your personal information. We share your information only in the following limited circumstances:
Service providersThe following processors access data only to provide their services and are bound by data processing agreements:
- Google Workspace — cloud storage, email, and video consultations
- Formspree — intake form submission processing
- Payment processor — consultation and renewal fees (payment data is processed directly and not stored by us)
Legal requirementsWhere required by law, court order, the HPCSA, SAHPRA, or another competent authority.
Medical emergenciesIn a life-threatening emergency, we may share relevant clinical information with emergency medical services.
We will never share your health information with your employer, family members, medical aid scheme, or any other party without your explicit written consent.
8. Cross-Border Data Transfers
Some of our third-party processors may process data outside South Africa (for example, Google's infrastructure). Where this occurs, we ensure that the recipient country provides adequate data protection, or that appropriate safeguards such as standard contractual clauses are in place, as required by POPIA Section 72.
Where possible, we configure our systems to store data on servers located within South Africa or the European Union, which meets POPIA's adequacy standard.
9. Your Rights Under POPIA
As a data subject, you have the following rights:
Right to accessRequest a copy of all personal information we hold about you.
Right to correctionRequest that inaccurate or incomplete information be corrected.
Right to deletionRequest deletion of your information, subject to our legal retention obligations.
Right to objectObject to the processing of your information where we rely on legitimate interest as a basis.
Right to withdraw consentWithdraw your consent at any time. This does not affect the lawfulness of processing prior to withdrawal.
Right to complainLodge a complaint with the Information Regulator if you believe your rights have been violated.
To exercise any of these rights, contact us at info@metabolicdoc.co.za. We will respond within 30 days.
10. Information Regulator Contact Details
If you are not satisfied with how we handle your personal information, you may contact the Information Regulator of South Africa:
11. Website Cookies and Tracking
Our website may use basic cookies to ensure proper functionality (session cookies). We do not use third-party advertising cookies or behavioural tracking. We do not participate in any ad networks. Disabling cookies will not affect core website functionality.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the law or our practices. The current version will always be available on our website with the effective date noted at the top. We will notify existing patients of material changes by email.
13. Contact Us
For any privacy-related queries, data access requests, or concerns: