Back to Home

Privacy Policy

Last updated: February 2026

1. Introduction

Baselayer ("we", "our", or "us") is committed to protecting your personal information in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and other applicable data protection laws.

This Privacy Policy explains how we collect, use, store, and protect personal information when you use our digital practice management platform.

2. Information We Collect

We collect the following categories of personal information:

  • Identity Information: Full name, title/gender, SA ID number, passport number, date of birth
  • Contact Information: Phone number, email address, physical address
  • Medical Information: Medical history, allergies, medications, medical conditions, medical aid details (scheme, number, main member)
  • Biometric Information: Digital signature, patient photograph
  • Treatment Information: Treatment type, procedure details, consent records, clinical findings, recommendations, referral details, implant data
  • Clinical Notes: Patient history notes, visit records, follow-up notes and clinical observations created by Practitioners
  • Appointment Data: Appointment dates, times, doctor assignments, patient names and appointment notes
  • Financial Information: Payment card details (card number, cardholder name, bank, card type, expiry date) stored for supplier form autofill (CVV is never stored); billing data including quotes, invoices, payment records and dental procedure codes processed through the billing integration
  • Communication Data: WhatsApp number for patient instruction delivery
  • Technical Information: Device type, timestamp of form submission, activity logs, data access audit trails

3. Purpose of Collection

We collect personal information for the following purposes:

  • To obtain and record informed consent for medical treatments
  • To create legally compliant consent documentation
  • To enable healthcare providers to maintain patient records
  • To generate clinical documents (referrals, scripts, lab forms, implant reports, medical certificates, patient reports)
  • To process supplier forms and payment authorisations on behalf of the practice
  • To provide AI-assisted writing tools that help practitioners polish clinical notes
  • To send patient instructions and communications via email and WhatsApp
  • To comply with legal and regulatory requirements
  • To communicate with patients regarding their treatment

4. Legal Basis for Processing

We process your personal information based on:

  • Consent: You provide explicit consent when submitting a consent form
  • Legal Obligation: Healthcare providers are legally required to obtain informed consent
  • Legitimate Interest: Maintaining accurate medical records for patient safety

5. Data Storage and Security

Your information is protected through:

  • Industry-standard encryption for all data in transit (HTTPS/TLS)
  • Secure cloud storage for practice documents and records
  • Database-level access controls ensuring data isolation between practices
  • Authenticated API access requiring valid session tokens for all protected endpoints
  • Practice membership verification ensuring users can only access data for their authorised practice
  • Browser security policies restricting which external resources can load
  • Input validation on all API endpoints
  • Server-side-only access for sensitive data (e.g. payment card details are never exposed to the browser)
  • Role-based access controls limiting data access to authorised users (admin, doctor, staff)
  • Audit trails and activity logging recording document actions and patient data access
  • Rate limiting to prevent automated abuse
  • Comprehensive security headers to prevent common web vulnerabilities
  • Regular security assessments

Data may be stored on servers located outside South Africa. We ensure all third-party providers comply with equivalent data protection standards.

6. Data Retention

Consent forms and related medical records are retained for a minimum of 7 years from the date of treatment, or longer if required by law or for ongoing medical care.

After the retention period, data will be securely deleted or anonymised.

7. Data Sharing

We may share your information with:

  • The healthcare provider/practice where you completed the consent form
  • Cloud infrastructure and storage providers for secure document hosting and processing
  • Authentication and database service providers for secure user management and data storage
  • Email delivery service providers for sending documents and notifications
  • Messaging service providers for delivering patient instructions via WhatsApp
  • AI service providers for processing clinical text through the AI Writing Assistant (only the text content of the specific field being polished is sent, not the full patient record) and for the AI Chatbot feature (conversation content only)
  • Accounting and billing service providers for quoting, invoicing and payment processing when the Practice has enabled the billing integration — patient names and billing details are shared as part of invoice creation
  • Legal authorities when required by law

We do not sell your personal information to third parties.

8. Your Rights

Under POPIA, you have the right to:

  • Access: Request a copy of your personal information
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion of your information (subject to legal retention requirements)
  • Objection: Object to processing of your information
  • Complaint: Lodge a complaint with the Information Regulator

To exercise these rights, contact the healthcare practice where you submitted your consent form, or contact us directly.

9. AI Features

Our platform includes AI-powered features provided by a third-party AI service provider:

AI Writing Assistant

  • Only the specific text content of the field being polished (e.g. clinical findings, recommendations, or treatment notes) is sent to the AI provider for processing. Full patient records, names, IDs, or other personal identifiers are not transmitted.
  • AI-generated suggestions are presented to the practitioner for review and must be explicitly accepted before replacing the original text.
  • The AI provider processes data in accordance with their data usage policies. We use their API which does not use submitted data for training purposes.
  • The AI does not add medical information that was not present in the original text. All clinical content remains the responsibility of the practitioner.

AI Chatbot

  • The AI Chatbot provides general assistance with using the Platform. It does not provide medical advice.
  • Conversation content is transmitted to and processed by the AI provider. Users should not enter patient Personal Information, clinical details, or other sensitive data into the chatbot.
  • The AI provider processes chatbot data in accordance with their data usage policies and does not use API-submitted data for training purposes.

10. Payment Card Data

Practices may optionally store payment card details for use with supplier forms:

  • Card details (number, cardholder name, bank, type, expiry) are stored in our secure database with access controls ensuring data isolation between practices.
  • CVV/CVC is never stored. It must be entered manually each time a supplier form is submitted.
  • Card data is accessible only via server-side API routes using the service role key. It is never exposed directly to the browser.
  • Admins can add, edit, deactivate, or delete stored cards at any time from Practice Settings.

11. Billing Data

Practices may optionally connect to a third-party accounting service for billing:

  • When the billing integration is enabled, patient names and billing details (procedure codes, amounts, dates) are shared with the accounting service provider to create quotes, invoices and payment records.
  • The Practice's connection credentials are stored securely in our database. The Practice can disconnect at any time.
  • Baselayer does not store copies of invoices or financial records beyond what is needed to facilitate the integration. The source of truth for financial data is the Practice's accounting service account.
  • The accounting service provider processes billing data in accordance with their own privacy policy and terms of service.

12. WhatsApp Communications

Patient instructions may be delivered via WhatsApp using a third-party messaging service:

  • WhatsApp messages are sent using pre-approved templates and are initiated by the practice on behalf of the patient.
  • The patient's phone number is shared with the messaging service provider solely for the purpose of message delivery.
  • Message content is limited to post-operative instructions and practice communications as consented to by the patient.

13. Cookies

Our platform uses essential cookies only for authentication and session management. We do not use tracking or marketing cookies.

14. Information Officer

For any privacy-related queries or to exercise your data rights, please contact:

Information Officer

Email: hello@baselayer.med

15. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated revision date.

16. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Baselayer

Email: hello@baselayer.med