← Back to Home

Privacy Policy

Last updated: 2026-01-01 · POPIA Compliant

1. Who We Are

Dr. Tonda Mabasa Medical Practice ("the Practice", "we", "us") is a medical practice operated by Dr. Tonda Mabasa (HPCSA No. 0799181), located at New Redruth, Alberton, 1449, South Africa. We are the responsible party as defined in the Protection of Personal Information Act 4 of 2013 (POPIA).

2. What Personal Information We Collect

We collect the following categories of personal information:

  • Identity data: Full name, date of birth, ID/passport number
  • Contact data: Phone number, email address, physical address
  • Health data (special category): Medical history, symptoms, diagnoses, prescriptions, test results
  • Financial data: Medical aid scheme name and membership number
  • Technical data: IP address, browser type, pages visited (analytics only)

3. Why We Process Your Information

We process your personal and health information to:

  • Provide medical consultations and healthcare services
  • Schedule and confirm appointments
  • Issue prescriptions and sick notes
  • Process medical aid claims on your behalf
  • Send appointment reminders and health communications
  • Comply with legal and regulatory obligations (HPCSA, NHLS, NDoH)

4. Legal Basis for Processing

We process your information under the following legal bases:

  • Consent: For optional communications and non-essential data
  • Contractual necessity: To deliver healthcare services you have requested
  • Legal obligation: To comply with HPCSA regulations, NHI Act, and other health legislation
  • Vital interests: In medical emergencies

5. Health Data (Special Category Information)

Health data receives the highest level of protection under POPIA. It is processed strictly for the purpose of providing you with healthcare and is never sold or shared for marketing purposes. Health records are retained for a minimum of 6 years from last contact as required by HPCSA guidelines.

6. Who We Share Your Information With

We share your information only with:

  • Medical aid administrators — to process claims on your behalf
  • Specialists and referral facilities — with your explicit consent
  • Regulatory bodies — where required by law (HPCSA, NHLS)
  • Technology providers — Supabase (data hosting, SOC 2 certified), Resend (transactional emails), Vercel (hosting)

We do not sell your personal information to any third party.

7. Your Rights Under POPIA

You have the right to:

  • Be informed about how your data is used
  • Access your personal information we hold
  • Request correction of inaccurate information
  • Request deletion (subject to legal retention obligations)
  • Object to certain types of processing
  • Lodge a complaint with the Information Regulator (South Africa)

8. Data Security

We implement industry-standard security measures including encrypted data storage, access controls, TLS encryption in transit, and regular security reviews. Physical records are stored securely on-premises.

9. Retention

Medical records are retained for a minimum of 6 years from last patient contact (HPCSA requirement). Booking data is retained for 2 years. Analytics data is retained for 12 months.

10. Cookies

Please refer to our Cookie Policy for details on how we use cookies.

11. Contact & Complaints

For privacy enquiries or to exercise your rights, contact us at:
Email: info@drmabasa.co.za
Phone: +27 11 907 4040
Address: New Redruth, Alberton, 1449

If you are unsatisfied with our response, you may contact the Information Regulator at inforegulator.org.za.