VeriNote

Privacy Policy

This Privacy Policy explains how Kosi Connect (Pty) Ltd collects, uses, stores, and protects your personal information when you use the VeriNote platform.

Effective date: 16 May 2025 Version 1.0

By using VeriNote, you agree to the practices described here.

1. Who We Are

VeriNote is operated by Kosi Connect (Pty) Ltd, a company registered in the Republic of South Africa.

Company nameKosi Connect (Pty) Ltd
Trading asVeriNote
Registered address30 Neven Street, Fransville, eMalahleni, Mpumalanga, South Africa
Privacy contactprivacy@verinote.co.za
Websitehttps://verinote.co.za

Kosi Connect (Pty) Ltd is the responsible party, as defined under the Protection of Personal Information Act 4 of 2013 ("POPIA"), in respect of the personal information we process through the VeriNote platform.

2. Definitions

PlatformThe VeriNote mobile application and web application, including all related services.
PractitionerA registered doctor, pharmacist, or other healthcare provider who uses VeriNote to issue verified medical documents.
PatientAn individual whose medical note or prescription is issued through the Platform.
Employer / VerifierA business, HR team, or individual who uses the Platform to verify the authenticity of a medical document.
Personal informationInformation that identifies or can identify a living natural person, as defined under POPIA.
Special personal informationSensitive categories of personal information under POPIA, including health and medical data.
ProcessingAny operation performed on personal information, including collection, storage, use, disclosure, and deletion.
POPIAThe Protection of Personal Information Act 4 of 2013 (South Africa).

3. Information We Collect

3.1 From Practitioners (Doctors & Pharmacists)

When you register and use VeriNote as a practitioner, we collect:

  • Full name, professional title, and contact details (email address and phone number)
  • HPCSA or SAPC registration number and professional category
  • South African identity number, used for identity verification purposes
  • Practice or pharmacy name, address, and contact details
  • Practice logo and signature image uploaded by you for use on documents
  • Login credentials, including email address and encrypted password
  • Subscription and billing information processed via our payment provider
  • Usage data, including notes issued, verification activity, login history, device type, and IP address

3.2 From Patients

Patient information is entered into the Platform by the treating practitioner at the time of issuing a medical document. We collect:

  • Full name and date of birth
  • South African identity number or passport number
  • Gender
  • Mobile phone number and email address, used to deliver the note by SMS and email
  • Medical aid name and membership number, where provided
  • Diagnosis and clinical details entered by the practitioner onto the medical note

Medical and health information constitutes special personal information under POPIA and is handled with heightened care and security. Patients do not register on the Platform; their information is provided by their treating practitioner.

3.3 From Employers and Verifiers

When you register as an employer or verifier, we collect:

  • Company name, registered address, and contact details
  • Name, job title, and email address of the registered account holder and any additional users
  • Verification activity: which notes were scanned, when, from which device and IP address, and the result
  • Subscription and billing information

3.4 Automatically Collected Data

When you use the Platform, we automatically collect certain technical information:

  • Device type, operating system, and app version
  • IP address and approximate location at city or region level
  • Session data, page views, and feature usage
  • Error logs and crash reports

4. How We Use Your Information

4.1 To Provide the Service

  • Create and manage practitioner accounts and practice profiles
  • Generate QR-verified medical notes and prescriptions
  • Deliver medical documents to patients via SMS and email
  • Enable employers and verifiers to confirm the authenticity of medical documents
  • Maintain a full audit trail of document issuance and verification activity
  • Process subscription payments and manage billing

4.2 To Protect Integrity and Prevent Fraud

  • Detect suspicious scanning patterns or potential misuse of documents
  • Verify practitioner registration against the HPCSA and SAPC public registers
  • Maintain revocation records for documents that have been invalidated

4.3 To Improve the Platform

  • Analyse usage patterns to improve features and user experience
  • Investigate and resolve technical errors or support requests
  • Develop new features based on user feedback and usage data

4.4 To Communicate With You

  • Send transactional messages, such as account confirmation, password reset, and note delivery
  • Send service notifications, such as suspicious activity alerts and subscription reminders
  • Send product updates and feature announcements, which you may opt out of at any time

4.5 To Meet Legal Obligations

  • Comply with POPIA and applicable South African law
  • Respond to lawful requests from regulatory authorities or law enforcement
  • Maintain records required for audit, legal, or regulatory purposes

5. Legal Basis for Processing

Contractual necessityProcessing required to provide the VeriNote service you have signed up for.
Legitimate interestFraud detection, platform security, and product improvement, where these do not override your rights.
Legal obligationCompliance with POPIA, tax law, and other applicable South African legislation.
ConsentFor optional communications such as marketing emails. You may withdraw consent at any time by contacting privacy@verinote.co.za.
Special information - Section 27 POPIAHealth and medical data is processed because it is necessary for the legitimate purpose of issuing and verifying medical documents, which is the core function of the Platform. Practitioners who enter patient health data do so in their professional capacity and are themselves bound by applicable health sector legislation and ethical obligations.

6. How We Share Your Information

We do not sell your personal information. We do not share it with advertisers. We share information only in the following limited circumstances:

6.1 With Verifiers (Employers, Pharmacists, HR Teams)

When an employer or pharmacist scans a QR code on a VeriNote document, they are able to view the verification result. This includes the issuing practitioner's name, HPCSA or SAPC number, practice name, note type, valid dates, and the patient's first name and last initial. This disclosure is the core function of the service and is the reason the Platform exists.

6.2 With Service Providers

We use third-party service providers to operate the Platform. These providers process data only on our instruction and are bound by data processing agreements:

  • Cloud infrastructure: Amazon Web Services (AWS). Servers are located outside South Africa. Data transfers to AWS are governed by standard contractual clauses.
  • SMS delivery: a registered South African or international SMS gateway provider.
  • Payment processing: a PCI-DSS compliant payment provider, such as PayFast. We do not store full card details on our systems.
  • Error monitoring and crash reporting: tools such as Sentry or equivalent.

6.3 Cross-Border Data Transfers

VeriNote uses international cloud infrastructure (AWS). Your data may be stored and processed outside South Africa. Where this occurs, we ensure appropriate safeguards are in place in accordance with Section 72 of POPIA, including standard contractual clauses or adequacy decisions.

6.4 Legal Disclosure

We may disclose personal information where required to do so by law, court order, or a lawful request from a regulatory authority, including the Information Regulator of South Africa. We will notify affected users where we are legally permitted to do so.

7. Data Retention

We retain personal information for as long as is necessary to provide the service and meet our legal obligations. Specific retention periods are as follows:

Medical notes and prescriptionsRetained indefinitely in a soft-deleted state. Notes are never permanently destroyed because they may be required as legal evidence. Revoked notes remain in the system with their revocation record.
Practitioner account dataRetained for the duration of the account, and for 5 years after account closure.
Patient dataRetained for as long as the issuing practitioner's account is active, and for 5 years after. Patients may request deletion of their data subject to the constraints of our legal record-keeping obligations.
Verification logsRetained for 5 years to support potential CCMA, legal, or disciplinary proceedings.
Payment recordsRetained for 5 years in accordance with South African tax and financial record-keeping requirements.
Usage and technical dataRetained for 12 months, after which it is aggregated and anonymised.

8. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights in respect of your personal information:

  • Right of access: you may request a copy of the personal information we hold about you. Contact privacy@verinote.co.za with your name and email address. We will respond within 30 days.
  • Right to correction: you may request that we correct inaccurate or incomplete information. You can update most of your information directly within the app. For corrections to sensitive records, contact privacy@verinote.co.za.
  • Right to deletion: you may request that we delete your personal information. We will action deletion requests where we are not legally required to retain the data. Medical notes and verification logs may be retained for legal and regulatory reasons even after an account is closed.
  • Right to object: you may object to certain processing, including direct marketing. To opt out of marketing communications, use the unsubscribe link in any email or contact privacy@verinote.co.za.
  • Right to complain: you have the right to lodge a complaint with the Information Regulator of South Africa. Information Regulator (South Africa): www.justice.gov.za/inforeg - inforeg@justice.gov.za.

9. Security

We take the security of your personal information seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, or misuse:

  • All data is encrypted in transit using TLS 1.2 or higher
  • Sensitive data, including identity numbers, is encrypted at rest
  • Access to personal data is restricted to authorised personnel on a need-to-know basis
  • Passwords are hashed using industry-standard algorithms and are never stored in plaintext
  • All infrastructure is hosted on AWS with enterprise-grade physical and network security
  • We maintain an access audit log for all administrative actions on the platform
  • Security vulnerabilities are addressed as a priority through our incident response process

No system is completely secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Information Regulator and affected individuals as required by POPIA within the prescribed timeframes.

10. Cookies and Tracking

The VeriNote web application uses cookies and similar technologies to:

  • Maintain your login session
  • Remember your preferences
  • Analyse usage patterns to improve the platform

The VeriNote mobile app does not use browser cookies but may use device identifiers and analytics SDKs for the same purposes. You can reset your device advertising ID through your device settings at any time.

We do not use cookies for advertising or for tracking you across third-party websites.

11. Children's Privacy

VeriNote is not intended for use by persons under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact privacy@verinote.co.za and we will take steps to delete that information promptly.

Medical notes may be issued by practitioners in respect of minor patients. In such cases, the practitioner is responsible for ensuring they have appropriate authority to share the patient's information with the Platform, including parental or guardian consent where required.

12. Third-Party Links and Services

The Platform may contain links to third-party websites or services, including payment providers and external verification resources such as the HPCSA practitioner register. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through VeriNote.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, the Platform, or applicable law. When we make material changes, we will:

  • Update the effective date at the top of this document
  • Notify registered users by email at least 14 days before the changes take effect
  • Display a notice within the app

Continued use of VeriNote after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the changes, you may close your account by contacting privacy@verinote.co.za.

14. Contact Us

Emailprivacy@verinote.co.za
Postal addressKosi Connect (Pty) Ltd, 30 Neven Street, Fransville, eMalahleni, Mpumalanga, South Africa
Response timeWe aim to respond to all privacy queries within 5 business days.

This Privacy Policy was prepared for Kosi Connect (Pty) Ltd trading as VeriNote. It is designed to comply with the Protection of Personal Information Act 4 of 2013 (POPIA) and applicable app store requirements. It does not constitute legal advice. You are encouraged to have this document reviewed by a qualified South African attorney before publishing, particularly as your data processing activities expand.

Kosi Connect (Pty) Ltd - Trading as VeriNote
30 Neven Street, Fransville, eMalahleni, Mpumalanga
privacy@verinote.co.za - verinote.co.za - Version 1.0 - 16 May 2025