By using VeriNote, you agree to the practices described here.
1. Who We Are
VeriNote is operated by Kosi Connect (Pty) Ltd, a company registered in the Republic of South Africa.
Kosi Connect (Pty) Ltd is the responsible party, as defined under the Protection of Personal Information Act 4 of 2013 ("POPIA"), in respect of the personal information we process through the VeriNote platform.
2. Definitions
3. Information We Collect
3.1 From Practitioners (Doctors & Pharmacists)
When you register and use VeriNote as a practitioner, we collect:
- Full name, professional title, and contact details (email address and phone number)
- HPCSA or SAPC registration number and professional category
- South African identity number, used for identity verification purposes
- Practice or pharmacy name, address, and contact details
- Practice logo and signature image uploaded by you for use on documents
- Login credentials, including email address and encrypted password
- Subscription and billing information processed via our payment provider
- Usage data, including notes issued, verification activity, login history, device type, and IP address
3.2 From Patients
Patient information is entered into the Platform by the treating practitioner at the time of issuing a medical document. We collect:
- Full name and date of birth
- South African identity number or passport number
- Gender
- Mobile phone number and email address, used to deliver the note by SMS and email
- Medical aid name and membership number, where provided
- Diagnosis and clinical details entered by the practitioner onto the medical note
Medical and health information constitutes special personal information under POPIA and is handled with heightened care and security. Patients do not register on the Platform; their information is provided by their treating practitioner.
3.3 From Employers and Verifiers
When you register as an employer or verifier, we collect:
- Company name, registered address, and contact details
- Name, job title, and email address of the registered account holder and any additional users
- Verification activity: which notes were scanned, when, from which device and IP address, and the result
- Subscription and billing information
3.4 Automatically Collected Data
When you use the Platform, we automatically collect certain technical information:
- Device type, operating system, and app version
- IP address and approximate location at city or region level
- Session data, page views, and feature usage
- Error logs and crash reports
4. How We Use Your Information
4.1 To Provide the Service
- Create and manage practitioner accounts and practice profiles
- Generate QR-verified medical notes and prescriptions
- Deliver medical documents to patients via SMS and email
- Enable employers and verifiers to confirm the authenticity of medical documents
- Maintain a full audit trail of document issuance and verification activity
- Process subscription payments and manage billing
4.2 To Protect Integrity and Prevent Fraud
- Detect suspicious scanning patterns or potential misuse of documents
- Verify practitioner registration against the HPCSA and SAPC public registers
- Maintain revocation records for documents that have been invalidated
4.3 To Improve the Platform
- Analyse usage patterns to improve features and user experience
- Investigate and resolve technical errors or support requests
- Develop new features based on user feedback and usage data
4.4 To Communicate With You
- Send transactional messages, such as account confirmation, password reset, and note delivery
- Send service notifications, such as suspicious activity alerts and subscription reminders
- Send product updates and feature announcements, which you may opt out of at any time
4.5 To Meet Legal Obligations
- Comply with POPIA and applicable South African law
- Respond to lawful requests from regulatory authorities or law enforcement
- Maintain records required for audit, legal, or regulatory purposes
5. Legal Basis for Processing
6. How We Share Your Information
We do not sell your personal information. We do not share it with advertisers. We share information only in the following limited circumstances:
6.1 With Verifiers (Employers, Pharmacists, HR Teams)
When an employer or pharmacist scans a QR code on a VeriNote document, they are able to view the verification result. This includes the issuing practitioner's name, HPCSA or SAPC number, practice name, note type, valid dates, and the patient's first name and last initial. This disclosure is the core function of the service and is the reason the Platform exists.
6.2 With Service Providers
We use third-party service providers to operate the Platform. These providers process data only on our instruction and are bound by data processing agreements:
- Cloud infrastructure: Amazon Web Services (AWS). Servers are located outside South Africa. Data transfers to AWS are governed by standard contractual clauses.
- SMS delivery: a registered South African or international SMS gateway provider.
- Payment processing: a PCI-DSS compliant payment provider, such as PayFast. We do not store full card details on our systems.
- Error monitoring and crash reporting: tools such as Sentry or equivalent.
6.3 Cross-Border Data Transfers
VeriNote uses international cloud infrastructure (AWS). Your data may be stored and processed outside South Africa. Where this occurs, we ensure appropriate safeguards are in place in accordance with Section 72 of POPIA, including standard contractual clauses or adequacy decisions.
6.4 Legal Disclosure
We may disclose personal information where required to do so by law, court order, or a lawful request from a regulatory authority, including the Information Regulator of South Africa. We will notify affected users where we are legally permitted to do so.
7. Data Retention
We retain personal information for as long as is necessary to provide the service and meet our legal obligations. Specific retention periods are as follows:
8. Your Rights Under POPIA
As a data subject under POPIA, you have the following rights in respect of your personal information:
- Right of access: you may request a copy of the personal information we hold about you. Contact privacy@verinote.co.za with your name and email address. We will respond within 30 days.
- Right to correction: you may request that we correct inaccurate or incomplete information. You can update most of your information directly within the app. For corrections to sensitive records, contact privacy@verinote.co.za.
- Right to deletion: you may request that we delete your personal information. We will action deletion requests where we are not legally required to retain the data. Medical notes and verification logs may be retained for legal and regulatory reasons even after an account is closed.
- Right to object: you may object to certain processing, including direct marketing. To opt out of marketing communications, use the unsubscribe link in any email or contact privacy@verinote.co.za.
- Right to complain: you have the right to lodge a complaint with the Information Regulator of South Africa. Information Regulator (South Africa): www.justice.gov.za/inforeg - inforeg@justice.gov.za.
9. Security
We take the security of your personal information seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, or misuse:
- All data is encrypted in transit using TLS 1.2 or higher
- Sensitive data, including identity numbers, is encrypted at rest
- Access to personal data is restricted to authorised personnel on a need-to-know basis
- Passwords are hashed using industry-standard algorithms and are never stored in plaintext
- All infrastructure is hosted on AWS with enterprise-grade physical and network security
- We maintain an access audit log for all administrative actions on the platform
- Security vulnerabilities are addressed as a priority through our incident response process
No system is completely secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Information Regulator and affected individuals as required by POPIA within the prescribed timeframes.
10. Cookies and Tracking
The VeriNote web application uses cookies and similar technologies to:
- Maintain your login session
- Remember your preferences
- Analyse usage patterns to improve the platform
The VeriNote mobile app does not use browser cookies but may use device identifiers and analytics SDKs for the same purposes. You can reset your device advertising ID through your device settings at any time.
We do not use cookies for advertising or for tracking you across third-party websites.
11. Children's Privacy
VeriNote is not intended for use by persons under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact privacy@verinote.co.za and we will take steps to delete that information promptly.
Medical notes may be issued by practitioners in respect of minor patients. In such cases, the practitioner is responsible for ensuring they have appropriate authority to share the patient's information with the Platform, including parental or guardian consent where required.
12. Third-Party Links and Services
The Platform may contain links to third-party websites or services, including payment providers and external verification resources such as the HPCSA practitioner register. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through VeriNote.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes to our practices, the Platform, or applicable law. When we make material changes, we will:
- Update the effective date at the top of this document
- Notify registered users by email at least 14 days before the changes take effect
- Display a notice within the app
Continued use of VeriNote after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the changes, you may close your account by contacting privacy@verinote.co.za.
14. Contact Us
This Privacy Policy was prepared for Kosi Connect (Pty) Ltd trading as VeriNote. It is designed to comply with the Protection of Personal Information Act 4 of 2013 (POPIA) and applicable app store requirements. It does not constitute legal advice. You are encouraged to have this document reviewed by a qualified South African attorney before publishing, particularly as your data processing activities expand.
Kosi Connect (Pty) Ltd - Trading as VeriNote
30 Neven Street, Fransville, eMalahleni, Mpumalanga
privacy@verinote.co.za - verinote.co.za - Version 1.0 - 16 May 2025