Legal

Privacy Policy

Effective date: 10 June 2026  ·  GoMedPay

GoMedPay ("we", "us", "our") is a revenue cycle management and practice compliance service operated by Andile Memela CA(SA) CIA ("Information Officer"), trading as GoMedPay, based in South Africa. We are committed to protecting your personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA).

This Policy explains what personal information we collect, why we collect it, how we use and protect it, and the rights you have as a data subject under South African law.

1. What personal information we collect

We collect personal information in two ways: information you provide to us directly, and information collected automatically when you use our website.

1.1 Information you provide

  • Contact details: name, email address, telephone number
  • Practice information: practice name, medical specialty, billing bureau or practice manager name (where provided)
  • Inquiry details: details of your practice's billing and claims management situation as described in the assessment request form
  • Newsletter subscription: name and email address when you subscribe to GoMedPay news and resources

1.2 Information collected automatically

  • Usage data: pages visited, time on site, referral source (via Google Analytics)
  • Technical data: IP address (anonymised), browser type, device type
  • Email engagement: whether emails are opened and links clicked (via SendGrid)

2. How we use your personal information

PurposeLawful basis (POPIA)
Responding to a practice inquiry and delivering the assessment serviceLegitimate interest — you requested the service
Sending the newsletter and educational resources you subscribed toConsent — double opt-in subscription
Sending transactional emails (confirmation, assessment PDF)Legitimate interest — service delivery
Improving our website and understanding which content is usefulLegitimate interest — analytics (anonymised)
Complying with South African legal and accounting obligationsLegal obligation — Companies Act s. 73, POPIA

3. Third-party processors

We do not sell your personal information. We share data only with the following processors, each bound by a data processing agreement that limits use to our stated purposes:

  • Twilio SendGrid — transactional and marketing email delivery (servers in the United States; adequacy safeguards: Standard Contractual Clauses)
  • Railway (Railway Corp.) — cloud application hosting and database infrastructure (servers in the United States; SCCs)
  • Cloudflare Inc. — CDN, DDoS protection, and security proxy (servers globally; SCCs)
  • Google Analytics — anonymised website usage analytics (IP anonymisation enabled)

4. How long we keep your information

CategoryRetention period
Practice inquiry data7 years from date of inquiry (Companies Act s. 73 accounting records requirement)
Newsletter subscribersUntil you unsubscribe, then deleted within 12 months
Website analytics26 months (Google Analytics default; IP anonymised)
Email engagement logs24 months

5. Your rights under POPIA

As a data subject under the Protection of Personal Information Act 4 of 2013, you have the right to:

  • Access — request a copy of the personal information we hold about you
  • Correction — request that inaccurate or incomplete information be corrected
  • Deletion — request that we delete your personal information (subject to our legal retention obligations)
  • Objection — object to the processing of your personal information, including for direct marketing
  • Withdrawal of consent — withdraw consent to marketing communications at any time using the unsubscribe link in any email
  • Lodge a complaint — submit a complaint to the Information Regulator of South Africa at inforegulator.org.za

To exercise any of these rights, contact our Information Officer using the details below.

6. How we protect your information

  • All data is transmitted over HTTPS with TLS encryption
  • HTTP Strict Transport Security (HSTS) is enforced on all GoMedPay domains
  • Access to production systems is restricted to authorised personnel only
  • Error monitoring is configured with send_default_pii=False — no personal information is included in error reports
  • Database backups are encrypted at rest on Railway infrastructure

7. Cookies

GoMedPay uses only functional cookies necessary for the website to operate (Django session and CSRF tokens) and Google Analytics cookies (with IP anonymisation enabled). We do not use advertising or tracking cookies from third parties.

8. Children's privacy

GoMedPay services are directed at medical practitioners and practice administrators. We do not knowingly collect personal information from persons under the age of 18.

9. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the effective date at the top of this page. We encourage you to review this page periodically.

10. Contact — Information Officer

Information Officer: Andile Memela CA(SA) CIA
Email: [email protected]
Website: www.gomedpay.co.za
Governing law: Republic of South Africa

Related: POPIA Compliance Statement  ·  Terms of Service