Skip to main contentSkip to navigationSkip to accessibility settings

Privacy Policy

How we collect, use, and protect your information

Last updated: 13 February 2026

1. Introduction

NissiHealth is a product of WeMakeSites (Pty) Ltd (Registration No. 2025/527655/07), a company registered in the Republic of South Africa (“WeMakeSites”, “we”, “us”, or “our”). References to “NissiHealth” in this policy refer to the NissiHealth platform operated by WeMakeSites.

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our electronic health record platform and related services (collectively, the “Platform”). By accessing or using the Platform, you consent to the data practices described in this policy.

We comply with the Protection of Personal Information Act, 2013 (POPIA) in South Africa and applicable international data protection regulations including the General Data Protection Regulation (GDPR) for European users where applicable.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, phone number, practice details, professional registration numbers, and identification documents.
  • Patient Data: Health records, appointment information, prescriptions, clinical notes, medical history, and other clinical data that you enter into the Platform.
  • Payment Information: Billing address and payment method details (processed securely by our third-party payment provider; we do not store full payment card numbers).
  • Audio and Voice Data: Voice recordings captured through the AI Scribe feature for the purpose of generating clinical documentation.
  • Communications: Messages you send to us, support requests, and feedback submitted through any channel.

2.2 Information Collected Automatically

  • Usage Data: Features used, pages viewed, actions taken, session duration, and interaction patterns within the Platform.
  • Device Information: IP address, browser type, operating system, device identifiers, screen resolution, and language preferences.
  • Log Data: Server logs including access times, error logs, and referral URLs.
  • Cookies and Similar Technologies: Session cookies for authentication, preference cookies, and analytics cookies (see Section 10).

3. How We Use Your Information

We use collected information to:

  • Provide, operate, and maintain the Platform
  • Process transactions and send related information
  • Process voice recordings through AI and speech-to-text services to generate clinical documentation
  • Send administrative messages, security alerts, and service updates
  • Respond to your inquiries and provide technical support
  • Improve our services, develop new features, and conduct internal research and analytics
  • Monitor and analyse usage patterns to improve user experience and Platform performance
  • Ensure security, detect fraud, and maintain the integrity of the Platform through audit logging
  • Comply with legal and regulatory obligations
  • Enforce our Terms of Service and other agreements

4. Patient Data Processing

As a healthcare software provider, we process patient health information on behalf of healthcare practitioners. In this capacity:

  • Healthcare practitioners remain the “responsible party” (as defined under POPIA) for patient data they enter into the Platform
  • WeMakeSites acts as an “operator” processing data in accordance with practitioner instructions and the terms of our agreement
  • We implement appropriate technical and organisational security measures to protect patient data
  • We do not access, use, or share patient data except as strictly necessary to provide our services, comply with law, or as authorised by the responsible party
  • AI features process data to generate clinical documentation. Voice recordings and transcripts are processed in real-time and are not used to train third-party AI models
  • We may use anonymised, aggregated, and de-identified data for the purpose of improving the Platform, provided such data cannot reasonably be used to identify any individual patient

5. Third-Party Service Providers

We use third-party service providers to assist in operating the Platform. These providers may process personal information on our behalf and are contractually obligated to protect it. Categories of providers include:

  • Cloud Infrastructure: Hosting and database services (Supabase, Vercel)
  • AI and Speech Services: Anthropic (Claude AI for clinical documentation), Deepgram and Google Cloud (speech-to-text)
  • Communication Services: Email delivery, SMS, and WhatsApp notifications
  • Payment Processing: Secure payment handling
  • Error Monitoring: Application performance and error tracking (Sentry)
  • Prescription Services: EMGuidance for digital prescription processing

Each third-party provider is selected based on their security practices and compliance with applicable data protection laws. We maintain data processing agreements with all providers who handle personal information.

6. Data Security

We implement industry-standard security measures to protect your information. However, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security. Our measures include:

  • Encryption: AES-256-GCM encryption for sensitive data at rest; TLS 1.3 for data in transit; field-level encryption for highly sensitive identifiers
  • Access Controls: Role-based access control (RBAC) and row-level security (RLS) enforced at the database level
  • Audit Logging: Comprehensive, immutable logging of all access to sensitive data
  • Authentication: Secure password hashing (bcrypt) and support for two-factor authentication
  • Infrastructure: Hosted in SOC 2 compliant data centres with regular security assessments
  • Rate Limiting: API rate limiting to prevent abuse and denial-of-service

7. Data Sharing and Disclosure

We may share information in the following circumstances:

  • Service Providers: With third-party vendors who assist in providing our services, subject to data processing agreements (see Section 5)
  • Within WeMakeSites: With our parent company and any current or future subsidiaries or affiliates for operational, administrative, and service improvement purposes
  • Legal Requirements: When required by law, regulation, court order, subpoena, or governmental request
  • Protection of Rights: When we believe disclosure is necessary to protect the rights, property, or safety of WeMakeSites, our users, or the public
  • Business Transfers: In connection with a merger, acquisition, reorganisation, sale of assets, or bankruptcy of WeMakeSites (Pty) Ltd or any of its affiliates, in which case your information may be transferred as a business asset
  • With Consent: With your explicit consent for specific purposes

We do not sell personal information or patient health data to third parties for marketing or advertising purposes.

8. Data Retention

We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements:

  • Account Data: Retained while your account is active and for 7 years after account closure, or longer where required by law
  • Patient Records: Retained according to applicable healthcare record retention requirements (minimum 7 years after last contact in South Africa, or longer for minors and certain conditions)
  • Voice Recordings: Processed in real-time for transcription and not retained beyond the session unless explicitly configured by the practitioner
  • Audit Logs: Retained for a minimum of 7 years for compliance purposes
  • Marketing Data: Retained until you unsubscribe or request deletion
  • Anonymised Data: May be retained indefinitely as it cannot be linked to any individual

9. Your Rights

Under POPIA and other applicable laws, you have the right to:

  • Access: Request confirmation of whether we hold your personal information and obtain a copy
  • Correction: Request correction or updating of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information, subject to legal and regulatory retention requirements
  • Object: Object to the processing of your personal information in certain circumstances
  • Restriction: Request restriction of processing in certain circumstances
  • Portability: Request a copy of your data in a structured, commonly used, machine-readable format
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing

To exercise these rights, contact us at privacy@nissihealth.com. We will respond to verified requests within 30 days. We may require verification of your identity before processing any request.

Note: For patient data, requests must generally be directed to the healthcare practitioner who is the responsible party for that data. We will assist practitioners in fulfilling such requests.

10. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential Cookies: Required for authentication, security, and core Platform functionality. These cannot be disabled.
  • Preference Cookies: Remember your settings, language, and display preferences.
  • Analytics Cookies: Help us understand how you use our Platform to improve performance and user experience.

You can control non-essential cookie preferences through your browser settings. Disabling essential cookies may affect Platform functionality. We do not use cookies for third-party advertising.

11. International Data Transfers

Our primary data storage is located in secure data centres. Some of our third-party service providers may process data outside of South Africa, including in the United States and European Union. When data is transferred internationally, we ensure appropriate safeguards are in place, including:

  • Data processing agreements with standard contractual clauses
  • Transfer to countries with adequate data protection laws as determined by the Information Regulator
  • Technical measures such as encryption to protect data during transfer and at rest
  • Your explicit consent where required under POPIA

12. Children's Privacy

Our Platform is designed for use by healthcare professionals and adult patients. The Platform is not intended for direct use by children under 18. While healthcare practitioners may store paediatric patient records, direct account registration is restricted to persons 18 years of age or older. If you believe a child has provided us with personal information directly, please contact us immediately.

13. Beta and Early Access Features

Certain features of the Platform may be designated as beta, early access, or preview. These features are provided on an “as is” basis and may be modified or discontinued without notice. By using beta features, you acknowledge that:

  • Beta features may collect additional usage data to improve the service
  • Data processed through beta features is subject to this Privacy Policy
  • We may use your feedback and usage patterns to improve beta features, without identifying you personally

14. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email or through a prominent notice on the Platform at least 14 days before the changes take effect. Your continued use of NissiHealth after the effective date of changes constitutes acceptance of the updated policy. If you do not agree to any changes, you must discontinue use of the Platform.

15. Contact Us

For questions about this Privacy Policy or our data practices, contact the Information Officer of WeMakeSites (Pty) Ltd:

  • Company: WeMakeSites (Pty) Ltd, trading as NissiHealth
  • Email: privacy@nissihealth.com
  • Address: Johannesburg, South Africa

You also have the right to lodge a complaint with the Information Regulator of South Africa:

Questions about this policy? Contact us