This Privacy Policy explains how Elanita Systems (Pty) Ltd collects, uses, stores, and protects your personal information. We are committed to protecting the privacy of both practice users and their patients in accordance with the Protection of Personal Information Act (POPIA), Act 4 of 2013.
1. Who We Are
Elanita Medical is operated by Elanita Systems (Pty) Ltd, a company registered in South Africa.
Registered address: Block D, Midridge South, International Business Gateway, Midrand, 1685, South Africa
Contact: hello@elanita.co.za
2. Information We Collect
Practice and account information
- Practice name, address, specialty, and contact details
- Owner and staff names, email addresses, and roles
- Subscription plan and billing information (payment details are processed by our payment gateways — we do not store card numbers)
- Login credentials (passwords are hashed and never stored in plain text)
Patient information (entered by practice users)
- Patient demographics: name, date of birth, gender, contact details
- Medical history, consultation notes, diagnoses, and treatment plans
- Lab results, vitals, prescriptions, and uploaded documents
- Billing and invoice records
- Medical aid information
Usage and technical information
- IP addresses and browser/device information
- Pages visited and features used within the platform
- Error logs and audit trails (for security and compliance purposes)
3. How We Use Your Information
- To provide and operate the Elanita platform
- To process subscription payments and manage your account
- To send transactional emails (invoices, payment receipts, account alerts)
- To provide customer support
- To maintain security, detect fraud, and comply with legal obligations
- To improve the platform based on usage patterns (aggregated and anonymised)
We do not use patient data for marketing purposes. We do not sell personal information to any third party.
4. Data Storage and Security
All data is stored on servers located in South Africa. We implement the following security measures:
- TLS encryption for all data in transit
- AES-256-GCM field-level encryption for all sensitive patient data at rest — the same standard used by governments and financial institutions worldwide
- Bcrypt password hashing
- Role-based access controls — staff only access data relevant to their role
- Full audit logging of all data access and changes
- Multi-tenant isolation — no practice can access another practice's data
5. POPIA Compliance
Elanita Systems (Pty) Ltd processes personal information in accordance with POPIA. As a practice using Elanita, you are the responsible party for your patients' data. Elanita Medical acts as the operator processing data on your behalf.
Your responsibilities as a practice include:
- Obtaining appropriate consent from patients to record and store their information
- Ensuring staff access is limited to what is necessary for their role
- Notifying us promptly if you become aware of any data breach
6. Data Retention
We retain practice and patient data for as long as your subscription is active. If you cancel your subscription, your data is retained for 90 days before permanent deletion, giving you time to export records. You may request early deletion by contacting us.
7. Your Rights
Under POPIA, you have the right to:
- Access the personal information we hold about you
- Request correction of inaccurate information
- Request deletion of your information (subject to legal retention requirements)
- Object to the processing of your information
- Lodge a complaint with the Information Regulator of South Africa
To exercise any of these rights, contact us at hello@elanita.co.za.
8. Third-Party Services
Elanita uses the following categories of third-party services to operate the platform:
- Payment processor — Paystack processes subscription payments in ZAR. Payment details are handled directly by Paystack and never stored on our servers. Paystack is PCI-DSS compliant.
- AI transcription service — consultation audio is sent to an AI transcription service for conversion to text. Audio is processed in real time and not retained beyond the request.
- AI clinical processing service — transcribed consultation text is processed by an AI service to structure it into SOAP note format and provide clinical decision support. Only transcribed text is sent — no patient names, identifiers, or demographic information are included. The service provider does not use API data for model training by default.
- Cloud infrastructure provider — our platform and data are hosted on servers located in South Africa.
- Email infrastructure provider — used for transactional emails such as invoices and account alerts.
Each third-party provider is subject to their own privacy policies and data processing agreements. We select providers who meet appropriate data protection and security standards.
9. Cookies
Elanita uses secure, HttpOnly cookies to manage your login session. These cookies are not accessible to JavaScript and cannot be read by third-party scripts. We do not use advertising cookies, tracking cookies, or any third-party analytics cookies.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify active users of material changes via email. Continued use of the platform after changes constitutes acceptance of the updated policy.
11. Contact Us
For any privacy-related queries or concerns:
- Email: hello@elanita.co.za
- Address: Block D, Midridge South, International Business Gateway, Midrand, 1685