Skip to main content

Privacy Policy

How we collect, use, and protect your personal information and protected health information.

Last updated:

Table of Contents

1. Introduction

Practor (Pty) Ltd, a private company registered in South Africa ("Practor," "we," "us," or "our"), provides an enterprise-grade electronic health record (EHR) and practice management platform designed for healthcare practitioners, practice managers, and clinic owners (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website at practor.app (the "Site") or use our Service.

We are committed to protecting the privacy and security of your personal information and, where applicable, Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act").

Important: Where we handle PHI on behalf of a healthcare provider or other Covered Entity, our use and disclosure of that PHI is governed by the terms of our Business Associate Agreement ("BAA"), which supplements this Privacy Policy. In the event of a conflict between this Privacy Policy and a signed BAA, the BAA controls with respect to PHI.

2. Definitions

The following terms have specific meanings throughout this Privacy Policy:

  • Personal Information: Any information that identifies, relates to, describes, or is reasonably capable of being associated with a particular individual. This includes names, email addresses, phone numbers, billing information, IP addresses, and device identifiers.
  • Protected Health Information (PHI): Individually identifiable health information transmitted by or maintained in electronic media or any other form, as defined under HIPAA (45 CFR 160.103). PHI includes medical records, diagnoses, treatment plans, prescription data, lab results, and any other information created or received by a healthcare provider that relates to the past, present, or future physical or mental health of an individual.
  • Covered Entity: A health plan, healthcare clearinghouse, or healthcare provider that transmits health information in electronic form, as defined under HIPAA.
  • Business Associate: A person or entity that performs functions or activities on behalf of, or provides services to, a Covered Entity involving the use or disclosure of PHI. Practor acts as a Business Associate when processing PHI on behalf of its healthcare provider customers.
  • De-identified Data: Health information that has been stripped of all identifiers specified under HIPAA's Safe Harbor method (45 CFR 164.514(b)) such that it does not identify an individual and there is no reasonable basis to believe it could be used to identify an individual.
  • Aggregated Data: Data that has been combined with data from multiple sources and cannot be linked to any specific individual.

3. Information We Collect

3.1 Information You Provide

We collect information you provide directly when you interact with us, including:

  • Account Information: Name, email address, phone number, professional credentials, practice name and address, National Provider Identifier (NPI), and other registration details.
  • Billing Information: Payment method details, billing address, and transaction history. Payment card data is processed by our PCI-DSS compliant payment processor and is not stored on our servers.
  • Patient Data (PHI): When you use the Service to manage patient care, you and your authorized staff enter patient demographics, medical histories, diagnoses, treatment plans, encounter notes, prescriptions, lab results, imaging records, insurance information, and other clinical data. This information is PHI and is subject to HIPAA protections.
  • Communications: Messages, feedback, support requests, and other correspondence you send to us.
  • Waitlist and Marketing: Name, email, practice information, and preferences when you join our waitlist or subscribe to communications.

3.2 Information Collected Automatically

When you access the Site or Service, we automatically collect certain technical information:

  • Device and Browser Data: Device type, operating system, browser type and version, screen resolution, and language preferences.
  • Usage Data: Pages viewed, features used, click patterns, session duration, and navigation paths within the Service.
  • Network Data: IP address, internet service provider, referring and exit URLs, and approximate geographic location derived from IP address.
  • Log Data: Server logs recording access times, error logs, and API request metadata.

We collect this data using cookies, web beacons, and similar tracking technologies as described in Section 14.

3.3 Information from Third Parties

We may receive information about you from third-party sources, including:

  • Identity Verification Services: To verify healthcare provider credentials and NPI numbers.
  • Analytics Providers: Aggregated usage analytics and demographic data.
  • Referral Partners: Contact information when you are referred to Practor by a partner or colleague.
  • Public Databases: Publicly available information from state licensing boards and the NPPES NPI Registry.

4. How We Use Your Information

We use collected information for the following purposes:

4.1 Providing and Improving the Service

  • Operating, maintaining, and delivering the features and functionality of the Service.
  • Processing patient data as directed by Covered Entities in accordance with our BAA.
  • Powering Ava, our AI assistant, to provide voice commands, ambient clinical documentation, and secure chat functionality.
  • Generating scheduling recommendations, billing suggestions, and workflow optimizations.
  • Diagnosing technical problems, monitoring performance, and improving reliability.

4.2 Communication

  • Sending transactional notifications (appointment reminders, billing alerts, system updates).
  • Responding to support inquiries and providing customer service.
  • Delivering product updates, security advisories, and administrative notices.
  • With your consent, sending marketing communications about new features, events, and educational content. You may opt out of marketing emails at any time.

4.3 Safety and Compliance

  • Enforcing our Terms of Service and other agreements.
  • Detecting, preventing, and responding to fraud, unauthorized access, and security incidents.
  • Complying with applicable laws, regulations, and legal processes, including HIPAA, HITECH, and state health privacy laws.
  • Maintaining audit logs as required for HIPAA compliance.

4.4 Analytics and De-identified Research

We may use De-identified Data and Aggregated Data to analyze trends, conduct research, improve our AI models, develop new features, and produce benchmarking reports. De-identified Data is processed in accordance with the HIPAA Safe Harbor de-identification standard and is no longer considered PHI.

5. Protected Health Information and HIPAA Compliance

Our Role: When healthcare providers use Practor to manage patient care, Practor acts as a Business Associate under HIPAA. We process PHI only as directed by the Covered Entity and in accordance with a signed Business Associate Agreement.

5.1 Business Associate Obligations

As a Business Associate, Practor:

  • Uses and discloses PHI only as permitted or required by the BAA or as required by law.
  • Implements administrative, physical, and technical safeguards to protect PHI as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C).
  • Reports any Security Incident or Breach of Unsecured PHI to the Covered Entity in accordance with the HITECH Act and HIPAA Breach Notification Rule (45 CFR 164.400-414).
  • Ensures that any subcontractors who access PHI agree to the same restrictions and conditions, including entering into a subcontractor BAA.
  • Makes PHI available to individuals who request access to their records, as directed by the Covered Entity.
  • Makes its internal practices, books, and records relating to PHI available to the U.S. Department of Health and Human Services (HHS) for compliance audits.
  • Returns or destroys all PHI upon termination of the BAA, where feasible.

5.2 Minimum Necessary Standard

Practor applies the HIPAA Minimum Necessary standard to all uses and disclosures of PHI. Our systems are designed with role-based access controls to ensure that workforce members and automated systems access only the minimum amount of PHI necessary to accomplish the intended purpose.

5.3 AI Processing of PHI

Ava, our AI assistant, processes PHI to provide features such as ambient clinical documentation, voice commands, and intelligent chat responses. All AI processing of PHI occurs within our secured infrastructure. PHI processed by Ava is:

  • Encrypted in transit (TLS 1.2 or higher) and at rest (AES-256).
  • Never used to train general-purpose AI models without explicit, documented authorization from the Covered Entity.
  • Subject to the same access controls, audit logging, and retention policies as all other PHI.
  • Processed in accordance with the Minimum Necessary standard.

5.4 Patient Rights Under HIPAA

Individuals whose PHI is processed through Practor retain all rights granted under the HIPAA Privacy Rule, including the right to access, amend, and receive an accounting of disclosures of their PHI. These rights are exercised through the Covered Entity (your healthcare provider), who directs Practor to fulfill such requests.

We process your information on the following legal bases:

Purpose Legal Basis
Providing the Service Performance of a contract (our Terms of Service)
Processing PHI BAA and HIPAA compliance obligations
Billing and payment Performance of a contract; legal obligation
Security and fraud prevention Legitimate interest; legal obligation
Marketing communications Consent (opt-in); legitimate interest (existing customers)
Analytics and improvement Legitimate interest (using De-identified/Aggregated Data)
Legal compliance Legal obligation

7. Information Sharing and Disclosure

We do not sell your Personal Information or PHI. We share information only in the following circumstances:

7.1 Service Providers and Subcontractors

We engage trusted third-party companies and individuals to perform services on our behalf (hosting, payment processing, analytics, customer support). These providers access only the information necessary to perform their functions and are contractually obligated to protect it. Subcontractors with access to PHI enter into BAAs as required by HIPAA.

7.2 At Your Direction

We share information when you direct us to, such as when a Covered Entity instructs us to transmit PHI to another provider, clearinghouse, or health plan in connection with treatment, payment, or healthcare operations.

7.3 Legal Requirements

We may disclose information if required to do so by law or in response to:

  • A valid subpoena, court order, or other legal process.
  • Requests from law enforcement or government agencies, to the extent permitted under HIPAA (45 CFR 164.512).
  • Situations involving potential threats to safety, where disclosure is necessary to prevent or lessen a serious and imminent threat.

Where PHI is involved, we will disclose only the minimum amount necessary and will notify the Covered Entity of any such request to the extent legally permitted.

7.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the successor entity. We will notify you via email or a prominent notice on our Site before your information is transferred and becomes subject to a different privacy policy. Any successor entity receiving PHI will be required to comply with HIPAA.

7.5 De-identified and Aggregated Data

We may share De-identified Data and Aggregated Data with third parties for research, analytics, and benchmarking purposes. Such data cannot be used to identify any individual.

8. Data Security

We implement comprehensive administrative, technical, and physical safeguards designed to protect your information in accordance with the HIPAA Security Rule and industry best practices.

8.1 Technical Safeguards

  • Encryption: All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption. Database-level encryption with customer-managed keys is available for enterprise plans.
  • Access Controls: Role-based access control (RBAC) enforced at the application and database level. Multi-factor authentication (MFA) is required for all accounts accessing PHI.
  • Audit Logging: All access to PHI is logged with user identity, timestamp, action performed, and data accessed. Audit logs are immutable and retained for a minimum of six (6) years.
  • Network Security: Firewalls, intrusion detection and prevention systems (IDS/IPS), and network segmentation isolate PHI from other data stores.
  • Vulnerability Management: Regular vulnerability scanning, penetration testing by qualified third parties, and a responsible disclosure program.

8.2 Administrative Safeguards

  • Security Officer: A designated Security Officer oversees our information security program.
  • Privacy Officer: A designated Privacy Officer oversees HIPAA privacy compliance.
  • Workforce Training: All employees with access to PHI complete HIPAA privacy and security training upon hire and annually thereafter.
  • Background Checks: Background checks are conducted for all personnel with access to PHI.
  • Incident Response: A documented incident response plan governs the detection, investigation, containment, and notification procedures for security incidents and breaches.
  • Risk Analysis: We conduct regular risk assessments as required by the HIPAA Security Rule (45 CFR 164.308(a)(1)).

8.3 Physical Safeguards

  • Data Center Security: Our infrastructure is hosted in SOC 2 Type II certified data centers with 24/7 physical security, biometric access controls, and environmental protections.
  • Workstation Security: Policies governing the use, access, and security of workstations that access PHI.

8.4 SOC 2 Compliance

Practor is committed to achieving SOC 2 Type II certification. Our security controls are designed and implemented in alignment with the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria, covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. We will update this section with certification details upon completion of our audit.

9. Data Retention

We retain information based on the type of data, its purpose, and applicable legal and regulatory requirements:

Data Type Retention Period
Account information Duration of the account plus 3 years, or as required by law
Protected Health Information As directed by the Covered Entity, subject to HIPAA's minimum 6-year retention for certain records, and applicable state medical record retention laws (which may require up to 10 years or longer)
Billing and transaction records 7 years from the date of the transaction
Audit logs Minimum 6 years, in compliance with HIPAA
Marketing preferences Until you opt out or request deletion
Technical/usage data 24 months from collection

Upon termination of a customer account, we will return or securely destroy PHI as specified in the BAA, unless retention is required by law. Secure destruction follows NIST SP 800-88 guidelines for media sanitization.

10. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your Personal Information:

  • Right to Access: Request a copy of the Personal Information we hold about you.
  • Right to Correction: Request correction of inaccurate or incomplete Personal Information.
  • Right to Deletion: Request deletion of your Personal Information, subject to legal retention requirements.
  • Right to Data Portability: Receive your Personal Information in a structured, machine-readable format.
  • Right to Restrict Processing: Request that we limit how we use your Personal Information in certain circumstances.
  • Right to Object: Object to the processing of your Personal Information for direct marketing or where processing is based on legitimate interests.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing performed before withdrawal.

To exercise any of these rights, contact us at privacy@practor.app. We will respond to your request within 30 days, or within the timeframe required by applicable law.

PHI Access Requests: If you are a patient whose PHI is managed through Practor, please direct access, amendment, or accounting-of-disclosures requests to your healthcare provider (the Covered Entity). Practor will assist the Covered Entity in fulfilling your request as required by our BAA and HIPAA.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"), provides you with additional rights regarding your Personal Information.

Note that CCPA does not apply to PHI that is governed by HIPAA or clinical trial data governed by the Common Rule. The rights described below apply to Personal Information not covered by HIPAA.

11.1 Your CCPA Rights

  • Right to Know: You have the right to request that we disclose the categories and specific pieces of Personal Information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You have the right to request deletion of Personal Information we have collected, subject to certain exceptions.
  • Right to Correct: You have the right to request correction of inaccurate Personal Information.
  • Right to Opt Out of Sale or Sharing: We do not sell or share (as defined by CCPA) your Personal Information for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

11.2 Categories of Information Collected

In the past 12 months, we have collected the following categories of Personal Information as defined by the CCPA:

  • Identifiers (name, email, phone number, IP address)
  • Professional or employment-related information (practice name, NPI, credentials)
  • Commercial information (billing history, subscription details)
  • Internet or electronic network activity (usage data, browsing history on our Site)
  • Geolocation data (approximate location derived from IP address)

To submit a CCPA request, contact us at privacy@practor.app or call us at the number listed in Section 19. We will verify your identity before processing your request.

12. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (EU 2016/679) ("GDPR") and applicable national implementing legislation provide you with specific rights regarding your Personal Data. This section supplements the general rights described in Section 10 with GDPR-specific detail.

12.1 Data Controller and Data Processor

For Personal Data collected through the Site (account registration, marketing, analytics), Practor acts as a data controller and determines the purposes and means of processing. When processing Patient Data on behalf of a healthcare provider customer, Practor acts as a data processor (and, in HIPAA terms, a Business Associate). Processing of Patient Data is governed by the Data Processing Agreement ("DPA") executed with the customer, which incorporates the Standard Contractual Clauses where applicable.

12.2 Lawful Bases Under GDPR

We rely on the following lawful bases under Article 6 of the GDPR:

Processing Activity Lawful Basis (Article 6)
Providing the Service under your subscription Performance of a contract (Art. 6(1)(b))
Processing health data on behalf of a provider Performance of a contract with the provider (Art. 6(1)(b)); explicit consent or provision of healthcare where required (Art. 9(2)(a) or (h))
Sending marketing communications Consent (Art. 6(1)(a)); you may withdraw consent at any time
Analytics and service improvement Legitimate interest (Art. 6(1)(f)); balanced against your rights via a documented Legitimate Interest Assessment
Preventing fraud and ensuring security Legitimate interest (Art. 6(1)(f))
Complying with legal obligations Legal obligation (Art. 6(1)(c))

Where we process special categories of personal data (health data) as a controller, we rely on Article 9(2)(h) (provision of health or social care) or explicit consent under Article 9(2)(a), as applicable.

12.3 Your Rights Under GDPR

In addition to the rights listed in Section 10, GDPR provides you with the following:

  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO).
  • Right to Object to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. Practor does not make such decisions about individuals. AI-generated clinical suggestions are always subject to human review by a licensed provider.
  • Right to Restrict Processing: You may request that we restrict processing of your Personal Data while we verify its accuracy, assess the legitimacy of our interest, or assess your objection to processing.

12.4 International Transfers from the EEA/UK

When Personal Data is transferred from the EEA, UK, or Switzerland to the United States (where our primary infrastructure is located), we rely on:

  • Standard Contractual Clauses (SCCs): We use the European Commission's SCCs (Commission Implementing Decision (EU) 2021/914) for controller-to-processor and controller-to-controller transfers, supplemented by a Transfer Impact Assessment.
  • UK International Data Transfer Agreement / Addendum: For UK transfers, we use the UK Addendum to the EU SCCs as approved by the ICO.
  • Supplementary Measures: Encryption in transit and at rest, pseudonymization where feasible, and access controls limiting which personnel can access transferred data.

12.5 Data Protection Officer

Practor has appointed a Data Protection Officer (DPO) who can be reached at dpo@practor.app. The DPO oversees compliance with GDPR and is available to address questions or concerns about how we process your Personal Data.

12.6 Data Protection by Design and Default

In accordance with Article 25 of the GDPR, Practor implements data protection by design and by default. This means we integrate data protection safeguards into the development of our Service from the outset, collect only the data necessary for each specific purpose, and restrict access to Personal Data to those who need it.

13. South African Privacy Rights (POPIA)

If you are located in South Africa, the Protection of Personal Information Act, 2013 ("POPIA") provides you with specific rights regarding your personal information. This section addresses our obligations under POPIA and supplements the general provisions of this Privacy Policy.

13.1 Responsible Party

For purposes of POPIA, Practor (Pty) Ltd is the "responsible party" in relation to Personal Information we collect directly from you (account data, marketing interactions). When processing patient data on behalf of a healthcare provider customer, Practor acts as an "operator" and processes such data solely on the instructions of the responsible party (your healthcare provider).

13.2 Conditions for Lawful Processing

We process personal information in accordance with the eight conditions for lawful processing under POPIA:

  1. Accountability: We take responsibility for complying with POPIA and have designated an Information Officer to oversee compliance.
  2. Processing Limitation: Personal information is processed lawfully, for a specific purpose, and is adequate, relevant, and not excessive.
  3. Purpose Specification: We collect personal information for the specific, explicitly defined purposes described in Section 4 of this Policy and do not retain it longer than necessary.
  4. Further Processing Limitation: We do not process personal information for purposes incompatible with the original purpose of collection, unless permitted by law.
  5. Information Quality: We take reasonable steps to ensure personal information is complete, accurate, and not misleading.
  6. Openness: This Privacy Policy documents our processing activities. We notify data subjects at the time of collection about what information we collect and why.
  7. Security Safeguards: We implement the technical and organizational security measures described in Section 8, including encryption, access controls, and breach response procedures.
  8. Data Subject Participation: You may access, correct, or request deletion of your personal information as described in your rights below.

13.3 Special Personal Information

POPIA classifies health information as "special personal information" subject to additional protections under Section 26. We process health-related personal information only where:

  • Processing is necessary for the provision of health services by or under the responsibility of a healthcare professional (Section 32).
  • The data subject (or a competent person where the data subject is a child) has provided explicit consent.
  • Processing is necessary for the establishment, exercise, or defense of a legal claim.

13.4 Your Rights Under POPIA

As a data subject under POPIA, you have the right to:

  • Access: Request confirmation of whether we hold your personal information and request access to it (Section 23).
  • Correction: Request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully (Section 24).
  • Object: Object to the processing of your personal information on reasonable grounds relating to your particular situation, unless the processing is permitted by law (Section 11(3)).
  • Object to Direct Marketing: Object at any time to the processing of your personal information for direct marketing purposes (Section 69).
  • Complaint: Lodge a complaint with the South African Information Regulator at inforegulator.org.za.
  • Civil Remedy: Institute civil proceedings regarding an alleged interference with the protection of your personal information (Section 99).

13.5 Cross-Border Transfers

POPIA restricts the transfer of personal information outside of South Africa (Section 72). We transfer personal information to the United States only where:

  • The recipient is subject to binding rules or an agreement providing an adequate level of protection substantially similar to POPIA.
  • The data subject has consented to the transfer after being informed of the risks.
  • The transfer is necessary for the performance of a contract between the data subject and the responsible party.
  • The transfer is for the benefit of the data subject and it is not reasonably practicable to obtain consent.

We implement safeguards including Data Processing Agreements, encryption, and access controls to protect transferred personal information.

13.6 Information Officer

Practor's designated Information Officer for POPIA purposes can be contacted at privacy@practor.app. The Information Officer is responsible for encouraging compliance with POPIA, handling data subject requests, and cooperating with the Information Regulator.

14. International Data Transfers

Practor (Pty) Ltd is a South African privately registered company. Our infrastructure spans multiple regions, and your information may be transferred to, stored, and processed in South Africa, the United States, or other jurisdictions where our service providers operate.

Where we transfer Personal Information across borders, we implement appropriate safeguards depending on the applicable legal framework:

  • EU/UK (GDPR): Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by Transfer Impact Assessments and the UK Addendum where applicable. See Section 12.4 for details.
  • South Africa (POPIA): Transfers comply with Section 72 of POPIA, requiring the recipient to be subject to binding rules or agreements providing adequate protection. See Section 13.5 for details.
  • Data Processing Agreements: All subprocessors are bound by Data Processing Agreements with equivalent confidentiality and security obligations.
  • Technical Safeguards: Encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, and audit logging apply regardless of jurisdiction.

PHI processed under HIPAA is stored in data centers located within the United States unless otherwise specified in the BAA and agreed upon by the Covered Entity.

15. Children's Privacy

The Service is designed for use by healthcare professionals and is not directed at individuals under the age of 18. We do not knowingly collect Personal Information directly from children.

When a healthcare provider uses Practor to manage the care of a minor patient, the PHI of that minor is handled in accordance with HIPAA, applicable state laws governing minors' health information, and the instructions of the Covered Entity. Access to a minor's PHI within the Service is subject to the same protections and access controls as all other PHI.

If you believe that we have inadvertently collected Personal Information from a child without appropriate consent, please contact us at privacy@practor.app and we will promptly delete it.

16. Cookies and Tracking Technologies

16.1 What We Use

We use the following technologies on the Site and within the Service:

Technology Purpose Duration
Essential cookies Authentication, session management, security Session or up to 30 days
Analytics cookies Understanding how users interact with our Site and Service Up to 24 months
Preference cookies Remembering your settings and preferences Up to 12 months
Web beacons / pixels Email open tracking and marketing attribution Session

16.2 Analytics Providers

We use the following analytics services on our marketing Site (not within the clinical application where PHI is processed):

  • Vercel Analytics: Privacy-focused web analytics for site performance.
  • PostHog: Product analytics for feature usage and conversion optimization.
  • Google Analytics (GA4): Website traffic analysis and marketing attribution.

Analytics cookies are not used within the authenticated clinical application to avoid any association between tracking identifiers and PHI.

16.3 Your Cookie Choices

You can control cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or receive a warning before a cookie is stored. Note that disabling essential cookies may affect the functionality of the Service.

17. Third-Party Services

We integrate with or use the following categories of third-party services:

  • Cloud Infrastructure: Hosting, compute, storage, and database services. All infrastructure providers maintain SOC 2 Type II certification and sign BAAs where PHI is involved.
  • Payment Processing: PCI-DSS Level 1 compliant payment processors handle all payment card transactions. We do not store payment card numbers on our servers.
  • Communication Services: Email delivery, SMS notifications, and in-app messaging services that may process limited contact information.
  • Identity and Access Management: Authentication providers that manage user login and multi-factor authentication.
  • Support Tools: Customer support platforms that may access account information (but not PHI) to assist with your inquiries.

Each third-party provider with access to PHI enters into a BAA with Practor and is subject to the same HIPAA requirements described in this policy. A current list of subprocessors is available upon request by contacting privacy@practor.app.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

  • Post the revised policy on this page with an updated "Last updated" date.
  • Notify registered users by email at least 30 days before the changes take effect.
  • Where changes materially affect the processing of PHI, provide notice to Covered Entities as specified in the BAA.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.

19. Contact Us

If you have questions about this Privacy Policy, your data, or our privacy practices, contact us at:

Practor (Pty) Ltd
Privacy Team
Email: privacy@practor.app

To report a security vulnerability, contact security@practor.app.

For GDPR-related inquiries, contact our Data Protection Officer at dpo@practor.app.

For POPIA-related inquiries, contact our Information Officer at privacy@practor.app. You may also lodge a complaint with the South African Information Regulator at inforegulator.org.za.

To file a HIPAA-related complaint, you may also contact the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr/complaints.