Privacy Policy

1. Introduction

Baselayer.med ("we", "our", or "us") is committed to protecting your personal information in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and other applicable data protection laws.

This Privacy Policy explains how we collect, use, store, share and protect personal information when practices and their staff use our cloud-based practice management platform (the "Platform"). The Platform serves dental, general practitioner and biokineticist practices, and includes consent and clinical document generation, appointment scheduling, dental charting, patient records, a built-in billing engine, optional accounting and medical-aid integrations, practice analytics, AI-powered tools, and patient communications.

2. Information We Collect

We collect the following categories of personal information:

• Identity Information: Full name, title/gender, SA ID number, passport number, date of birth, file number
• Contact Information: Phone number, email address, physical address, WhatsApp number, emergency contact details
• Guardian Information: For child / dependant patients, guardian name, contact details, ID number and relationship
• Medical Information: Medical history, allergies, current medications, medical conditions, pregnancy/bleeding flags, medical aid details (scheme, plan, member number, dependant code, main member)
• Biometric Information: Digital signature and (where the patient has been photographed by the practice) patient photographs
• Clinical and Treatment Information: Treatment type, procedure details, consent records, clinical findings, recommendations, referral details, dental implant data, medical certificates, lab work specifications, and patient reports
• Patient Photographs & Imagery: Intra-oral photographs, before/after photographs and other clinical images uploaded by the practice and linked to a patient's file
• Dental Charting Data: Odontogram and periodontal charts, including per-tooth marks, surfaces, conditions, layers (existing / proposed / completed), pocket depths, furcations, mobility and chart-level summary notes
• Clinical Notes: Patient history notes, follow-ups, phone-call notes, general notes and visit records authored by Practitioners
• Voice Recordings (transient): Audio captured by the in-app dictation feature is sent to a third-party transcription service to produce text. Audio is not retained by Baselayer.med after transcription
• Appointment Data: Appointment dates, times, doctor assignments, appointment types, recurrence, patient names, contact details and appointment notes; reminder delivery status
• Stock-Take Data: Stock categories, items, opening/added/sold/practice-use counts and (where the practice tracks bookings) the patient name linked to a stock booking
• Practice Tasks: Weekly task lists with content and authoring metadata
• Billing & Financial Information: Quotes, invoices and payment records created in the built-in Baselayer Billing engine or via a connected external accounting service; line items, dental/medical procedure codes, ICD-10 codes, tariff amounts, tax, due dates, balances and patient billing details
• Medical Aid Claim Data: Where the practice submits electronic claims via a medical-aid switching service, claim payloads include patient identity, scheme/plan/member/dependant codes, treatment codes, ICD-10 codes, amounts, destination codes and the resulting acknowledgement / rejection / status response
• Saved Payment Card Data: Card number, cardholder name, bank, card type and expiry date stored for autofill on supplier forms (CVV/CVC is never stored)
• Subscription & Payment Data: When a practice subscribes to Baselayer.med, our subscription provider collects bank account / card mandate data and processes recurring debit orders or card payments. We retain subscription status, plan, billing dates, mandate references and invoice records
• Communication Data: Email and WhatsApp messages sent by the platform on behalf of the practice (patient instructions, appointment reminders, document delivery)
• Account & Authentication Data: User name, email, role, practice membership, hashed password (held by the authentication provider), session tokens and password-reset metadata
• Practice Configuration: Practice name, logo, vertical (dental / GP / biokinetics), form customisations, instruction templates, role assignments, directories (specialists, medications, labs)
• Technical & Audit Information: Device type, browser, IP address, timestamps, activity logs (which document was created, viewed, sent, or modified, and by whom) and AI-agent invocation logs
• Marketing Information (opt-in only): Email address and source for newsletter subscribers, and demo-booking conversations conducted via WhatsApp

3. Purpose of Collection

We collect personal information for the following purposes:

• To obtain, record and store informed consent for medical and dental treatments
• To enable healthcare providers to maintain patient records, charts and visit history
• To generate clinical documents (consent forms, prescription scripts, referrals, lab forms, implant reports, medical certificates, patient reports and post-operative instructions)
• To create and store dental charting records (odontogram and periodontal charts) and link them to patient files
• To capture and store patient photographs and imagery linked to a patient's file
• To provide voice dictation by transcribing audio captured in the app into text the practitioner can review
• To run an AI medication safety check that flags potential allergies, interactions, contraindications and pregnancy / bleeding risks against the patient's recorded profile
• To create, store, send and track quotes, invoices and payments using the built-in Baselayer Billing engine, and (optionally) to mirror those records into a connected external accounting service
• To submit electronic medical-aid claims and receive responses through a medical-aid switching service when the practice elects to do so
• To manage appointments, send appointment reminders by WhatsApp, and (optionally) sync practitioner calendars with a supported third-party calendar service
• To track practice stock levels and link stock bookings to patient visits where the practice has enabled that feature
• To send patient communications (documents, post-operative instructions, reminders) by email and WhatsApp
• To produce practice analytics — including aggregated dashboards on patient demographics, billing performance, treatment mix, team activity and retention — and (optionally) AI-generated narrative insights based on those aggregates
• To process subscription payments and recurring debit orders for the Platform subscription
• To provide the AI Writing Assistant and AI Chatbot features
• To maintain audit trails of data access and modifications for security and POPIA compliance
• To send marketing communications (newsletter) only to recipients who have explicitly opted in
• To comply with legal, regulatory and professional-body requirements

4. Legal Basis for Processing

We process your personal information based on:

• Consent: Patients provide explicit consent when submitting a consent form, and additional consent (e.g. for WhatsApp communications, photography or medical-aid claim submission) is captured by the treating practice where required
• Contract: Processing is necessary to deliver the practice management service contracted for by the subscribing practice and its users
• Legal Obligation: Healthcare providers are legally required to obtain and retain informed consent and to keep accurate medical records
• Legitimate Interest: Maintaining accurate medical records for patient safety, securing the Platform, preventing fraud, and providing essential analytics and audit trails to the practice

5. Data Storage and Security

Patient records, documents, charts, billing data and configuration are stored in Baselayer.med's managed cloud database and object storage, hosted on enterprise-grade infrastructure provided by our database, storage and hosting partners. Where the practice has connected an external accounting service, billing data may also be synced to that service.

Your information is protected through:

• Industry-standard encryption for all data in transit (HTTPS/TLS) and encryption at rest provided by our cloud database and storage partners
• A managed object-storage bucket holding all generated PDFs, photographs and uploaded files, scoped per practice and accessed only via short-lived signed URLs minted by authenticated server endpoints
• Database-level row isolation ensuring data belonging to one practice cannot be read or modified by another
• Authenticated API access requiring valid session tokens for every protected endpoint
• Practice membership verification ensuring users can only access data for their authorised practice
• Role-based access controls limiting data access to authorised users (admin, doctor / practitioner, hygienist / nurse / assistant, staff)
• Server-side-only access for sensitive data (e.g. payment card details and medical-aid switch credentials are never exposed to the browser)
• Browser security policies (CSP, HSTS and related headers) restricting which external resources can load
• Input validation, sanitisation of rich-text content, and rate limiting on all public and authenticated endpoints
• Comprehensive activity logging for document creation, sending and modification
• An immutable audit trail recording which user accessed or modified patient data, including IP address and timestamp
• An AI-agent invocation log recording every automated agent run, the model used, and a summary of the inputs and outputs
• Regular security assessments and dependency updates

Our hosting, database, storage, AI, messaging, accounting and medical-aid switching partners may operate servers located outside South Africa. We require all such partners to apply equivalent data-protection standards and to process data only on documented instructions.

6. Data Retention

Consent forms, clinical records, charting data, patient notes, billing records and related medical records are retained for a minimum of 7 years from the date of treatment, or longer if required by law, by professional-body rules, or for ongoing medical care.

Voice recordings used for dictation are not retained: audio is streamed to the transcription service, the resulting text is returned to the practitioner, and the recording is discarded.

Audit logs and AI-agent invocation logs are retained for at least the same period as the underlying records they relate to.

Marketing newsletter subscribers can unsubscribe at any time, after which their record is deleted from the marketing audience.

After the applicable retention period, data will be securely deleted or anonymised.

7. Data Sharing and Sub-Processors

We share personal information only with the following categories of recipient, and only to the extent necessary to deliver the Platform:

• The healthcare provider / practice where the patient was seen (the data controller for clinical data)
• Cloud database, storage and hosting providers for secure document hosting, database operations and serving the application
• Authentication provider for user account management, password handling and session security
• Email delivery provider for sending documents, instructions, appointment reminders, system emails and (for opt-in subscribers only) newsletters
• Messaging provider for delivering WhatsApp messages — patient instructions, appointment reminders and demo-booking conversations
• AI service providers for the AI Writing Assistant, AI Chatbot, AI medication safety check, voice transcription, and the analytics "AI insights" summary. Only the specific text or audio required for each task is transmitted; full patient records are not sent
• External accounting service providers when the practice has connected one — patient names and billing details are shared as part of invoice and payment creation. The built-in Baselayer Billing option keeps this data inside our own managed cloud database and does not share it with an external accounting service
• Medical-aid switching service when the practice elects to submit electronic claims — claim payloads (including patient identity, scheme membership and treatment details) are transmitted to the switch and forwarded to the relevant scheme
• Subscription / payment provider for processing the practice's Baselayer.med subscription via debit-order or card payment
• Calendar integration provider only when a practitioner has explicitly connected a third-party calendar
• Marketing-site analytics providers (industry-standard search and web analytics tools) used only for the public marketing website (baselayer.med) — these do not receive patient or clinical data
• Legal authorities when required by law or to protect the rights, safety or property of patients, practices, or Baselayer.med

We do not sell your personal information to third parties, and we do not use patient or clinical data for advertising.

8. Your Rights

Under POPIA, you have the right to:

• Access: Request a copy of your personal information
• Correction: Request correction of inaccurate information
• Deletion: Request deletion of your information (subject to legal retention requirements applicable to medical records)
• Objection: Object to processing of your information
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
• Complaint: Lodge a complaint with the Information Regulator of South Africa

To exercise these rights, contact the healthcare practice where you submitted your consent form (the data controller for your clinical data), or contact us using the details in section 16.

9. AI Features

The Platform includes several AI-powered features provided by third-party AI service providers. In every case, the AI does not make clinical decisions and the practitioner remains responsible for any output that is acted upon.

AI Writing Assistant

• Only the specific text content of the field being polished (e.g. clinical findings, recommendations, or treatment notes) is sent to the AI provider for processing. Full patient records, names, ID numbers, or other personal identifiers are not transmitted.
• AI-generated suggestions are presented to the practitioner for review and must be explicitly accepted before replacing the original text.
• The AI provider processes data via their API, which is configured not to use submitted data for model training.
• The AI does not add medical information that was not present in the original text. All clinical content remains the responsibility of the practitioner.

AI Chatbot

• The AI Chatbot provides general assistance with using the Platform. It does not provide medical advice.
• Conversation content is transmitted to and processed by the AI provider. Users should not enter patient personal information, clinical details, or other sensitive data into the chatbot.
• The AI provider processes chatbot data in accordance with their API data-usage policies and does not use API-submitted data for training.

AI Medication Safety Check

• When a practitioner is prescribing, the medication name and a non-identifying summary of the patient's allergies, current medications, conditions, pregnancy status and bleeding history are sent to the AI provider to surface potential allergy, interaction, contraindication, pregnancy and bleeding-risk concerns.
• The patient's name, ID, contact details or other direct identifiers are not transmitted.
• The output is advisory only. The prescribing practitioner is solely responsible for the prescription.

Voice Dictation / Transcription

• When a practitioner uses the in-app dictation tool, the recorded audio is streamed to a third-party speech-to-text service and the resulting transcript is returned to the practitioner for review.
• Audio is not stored by Baselayer.med after transcription. The practitioner must review and accept the transcribed text before it is saved into a clinical record.
• Practitioners should avoid dictating direct identifiers (e.g. ID numbers, full names of third parties) where this is not clinically necessary.

Practice Analytics & AI Insights

• The analytics dashboard is computed entirely inside our own database from the practice's existing records. No patient-level data is sent to a third party for the dashboard itself.
• If the practice opts to generate AI narrative "insights", only aggregated, non-identifying summary numbers (counts, percentages, top categories) are sent to the AI provider — never patient names, contact details, identifiers or clinical free-text.
• Insights are advisory only and must not be relied upon for clinical or financial decisions.

10. Built-in Baselayer Billing

Baselayer.med includes a built-in billing engine ("Baselayer Billing") that allows practices to create, send and track quotes, invoices and payment records inside the Platform without using an external accounting service.

• Quotes, invoices, line items, procedure / tariff codes, ICD-10 codes, amounts, taxes, dates, balances and patient billing details are stored in our managed cloud database, scoped to the issuing practice.
• Invoice and statement PDFs may be emailed to the patient via our email delivery provider on behalf of the practice.
• The practice remains responsible for the accuracy of all billing information, including procedure codes, tariffs, taxes and patient details.
• Practices may switch between Baselayer Billing and a connected external accounting service at any time. Historical records remain associated with the provider that created them.

11. External Accounting Integrations

Practices may optionally connect their own account with a supported third-party accounting service instead of, or alongside, Baselayer Billing.

• When such an integration is enabled, patient names and billing details (procedure codes, amounts, dates, line items) are shared with the connected accounting service to create customers, quotes, invoices and payment records.
• The practice's OAuth connection credentials and refresh tokens are stored securely in our database and used only to call the relevant accounting API on the practice's behalf. The practice can disconnect at any time.
• Beyond what is needed to facilitate the integration, Baselayer.med does not retain copies of the records held in the external accounting service. The source of truth for those records is the practice's account with the accounting provider.
• The accounting service provider processes billing data in accordance with its own privacy policy and terms of service.

12. Electronic Medical-Aid Claims

Where the practice has elected to submit electronic medical-aid claims through Baselayer.med, claims are transmitted to a medical-aid switching service which routes them to the relevant medical aid scheme.

• Claim payloads include the patient's identity details, the scheme, plan and main-member / dependant information, ICD-10 codes, treatment / tariff codes, line amounts, the destination code for the chosen scheme and the issuing practitioner's practice and provider numbers.
• The switching service's acknowledgement, status and remittance responses are stored against the corresponding invoice for the practice's reference.
• Per-practice switch credentials are stored securely server-side and are never exposed to the browser.
• Each claim is initiated by the practice. Baselayer.med does not adjudicate, approve or guarantee any claim and is not the medical aid scheme or its agent.

13. Saved Payment Card Data (Supplier Forms)

Practices may optionally store payment card details for use with internal supplier forms:

• Card details (number, cardholder name, bank, type, expiry) are stored in our secure database with access controls ensuring data isolation between practices.
• CVV/CVC is never stored. It must be entered manually each time a supplier form is submitted.
• Card data is accessible only via server-side API routes using the service-role key. It is never exposed directly to the browser.
• Admins can add, edit, deactivate, or delete stored cards at any time from Practice Settings.
• Saved card data is used only for the practice's own supplier forms and is never used to charge a patient.

14. Subscription Payments

Subscription fees for Baselayer.med are processed by a third-party payment provider that supports debit orders and card payments.

• Bank-account or card details captured at sign-up are submitted directly to the payment provider; Baselayer.med does not store full bank-account or card numbers used for the platform subscription.
• The payment provider returns a mandate / consent reference which we store against the practice record so we can request scheduled debits.
• We retain subscription status, plan, billing dates, mandate references, invoice records and any failed-payment reasons for accounting and dispute-handling purposes.
• Practices may receive subscription reminder emails and invoice PDFs.

15. Patient Communications & WhatsApp

The Platform sends patient communications by email and WhatsApp on the practice's behalf, using a third-party messaging service:

• WhatsApp messages are sent using pre-approved templates and are initiated by the practice.
• The patient's phone number is shared with the messaging provider solely for the purpose of message delivery and reminder workflows.
• Message content is limited to post-operative instructions, appointment reminders, and document delivery as authorised by the practice.
• Where automated appointment reminders are enabled, a scheduled task sends a single reminder per active appointment in a defined window before the appointment time.
• Patients should direct any clinical questions to the treating practice, not to the WhatsApp number used for delivery.

16. Marketing & Newsletter

Marketing communications are sent only to recipients who have explicitly opted in via the public marketing website. Patients of subscribing practices are not added to marketing audiences as a result of using the Platform clinically.

• Newsletter subscribers' email addresses are stored with our email delivery provider's audience service.
• Subscribers may unsubscribe at any time using the link in any newsletter or by contacting us.
• The public marketing site uses industry-standard search and web analytics tooling only to measure marketing performance. These tools do not receive any patient or clinical data.

17. Cookies & Local Storage

The Platform uses essential cookies and browser local storage for authentication, session management, kiosk-device identification (a per-device ID), and remembering the user's last selected practice. Marketing pages may use additional analytics cookies; these are not used inside the authenticated practice management application. We do not use advertising or cross-site tracking cookies.

18. Information Officer

For any privacy-related queries or to exercise your data rights, please contact:

19. Changes to This Policy

We may update this Privacy Policy from time to time, particularly when new features, sub-processors or integrations are added. Material changes will be posted on this page with an updated revision date and, where appropriate, communicated to practice administrators within the Platform.