Skip to main content

Privacy Policy

Last updated: 1 June 2026

UpDoc (Pty) Ltd(Registration No. 2026/344997/07) — Version 2.1, effective 1 June 2026. Your privacy matters to us. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the UpDoc platform — whether you are a Health Professional (locum), a Health Facility (hospital or department), or a Locum Agency. By using the Platform you acknowledge that you have read and understood this Policy. It must be read with our Terms of Use and Cookie Policy.

1. Who we are

UpDoc (Pty) Ltd is a private company incorporated in the Republic of South Africa. We operate an online platform that connects Health Facilities with Health Professionals to advertise, book, and confirm locum shifts, together with a separate Agency Portal through which Locum Agencies manage and verify the practitioners registered under their account. UpDoc is the Responsible Partyin respect of personal information it collects directly, as defined in the Protection of Personal Information Act 4 of 2013 (“POPIA”). A Locum Agency that processes its practitioners’ personal information through the Agency Portal does so as a separate Responsible Party (or Operator, as applicable) and is independently responsible for its own POPIA compliance.

Information Officer: Mark Trevor Verryn · mark@updocsa.co.za· 4 Montrose Street, Unit 111, Newlands, Cape Town, 7700, South Africa.

2. Legal framework

We process personal information in accordance with South African law, including POPIA, the Electronic Communications and Transactions Act 25 of 2002 (ECT Act), the Cybercrimes Act 19 of 2020, and the Consumer Protection Act 68 of 2008 where applicable.

3. What personal information we collect

We practise data minimisation and collect only what we need to run the Platform. What we hold depends on your role:

  • Health Professionals (locums):first and last name; your professional registration number (HPCSA “MP” number); the email address you sign in with; and a contact telephone number. We also hold your account record (managed via our authentication provider; passwords are stored only as salted hashes by that provider and are never visible to us), and your shift activity — bids, offers, bookings, and any hours you log against a completed shift.
  • Health Facilities (hospitals / departments): the facility and department name and time zone; the email address of the authorised department administrator; and the shifts they publish together with the resulting bids and bookings.
  • Locum Agencies: the agency name and contact details; the email address of the authorised agency administrator; and records of the practitioners they verify and the bookings made under their account.
  • All users:basic technical and security data generated when you use the Platform — such as an IP address and request/error logs captured by our hosting and error-monitoring providers — and an internal audit log of key actions (for example, creating, booking, or cancelling a shift) kept for security and accountability.

We do not currently collect identity/passport numbers, dates of birth, indemnity-insurance details, employment history, or payment-card information. If we introduce features (such as paid subscriptions or additional verification) that require further categories of information, we will update this Policy and collect that information only where a lawful basis exists.

4. Why we process your information and our lawful basis

  • To create and administer accounts and provide the core Platform and Agency Portal — performance of contract.
  • To match Health Professionals with shifts and confirm bookings, including agency verification and approvals — performance of contract.
  • To send transactional email notifications — for example offer, booking-confirmation, and cancellation notices — and in-platform notifications — performance of contract and legitimate interest.
  • To keep the Platform secure and detect and prevent fraud, impersonation, and misuse — legitimate interest.
  • To comply with applicable law and respond to regulators or law enforcement — legal obligation.

We do not currently send marketing communications. If we introduce them, they will be sent on the basis of consent only, which you may withdraw at any time.

5. Who we share your information with

UpDoc does not sell personal information. We share it only as necessary to run the Platform:

  • Health Facilities: on confirmation of a booking, the relevant practitioner’s name, MP number, and contact number are made available to the booking facility.
  • Locum Agencies: an agency can view the profile, verification status, and shift activity of the practitioners registered under its account, for the sole purpose of managing that activity.
  • Service providers (sub-processors) who process information on our behalf under data-processing agreements — see Section 7.
  • Professional regulatory bodies (e.g. HPCSA) where we reasonably suspect falsified credentials or impersonation, to protect patients and the public.
  • Law enforcement, the Information Regulator, or courts where required or permitted by law.
  • A successor entity in the event of a merger, acquisition, or restructuring, subject to equivalent data-protection commitments.

If we introduce paid features in future, a payment processor would handle fee transactions; we would not store full payment-card details ourselves, and this Policy would be updated accordingly.

6. Locum Agency data obligations

A Locum Agency that registers and verifies practitioners through the Agency Portal must process their personal information only to manage their shift activity on the Platform; must have obtained each practitioner’s informed consent to be registered; must keep that information confidential and secure; must not disclose it to third parties without consent or a lawful basis; and must notify UpDoc promptly of any suspected breach. UpDoc is not responsible for a Locum Agency’s independent breach of POPIA in respect of that information.

7. Sub-processors and cross-border processing

We use a small number of reputable service providers to operate the Platform. Some process limited personal information outside South Africa. In each case the transfer is made under section 72 of POPIA — the recipient is bound by a data-processing agreement imposing data-protection obligations substantially similar to POPIA and/or is subject to laws (such as the EU GDPR) that provide an adequate level of protection:

  • Supabase — managed database and authentication. Our database is currently hosted in the European Union (London/EU West region).
  • Vercel — application hosting and delivery (United States / global edge network).
  • Resend — delivery of transactional email notifications (United States). Recipient email addresses and notification content are processed for delivery.
  • Sentry — error and performance monitoring (United States). Technical diagnostic data is processed; we configure it to minimise personal information.

We will not transfer personal information outside South Africa in circumstances that undermine your rights under POPIA, and we keep this list current as our providers change.

8. How long we keep your information

  • Account data: retained while your account is active. On closure, it is deleted or de-identified within a reasonable period, save where law requires longer retention.
  • Shift and booking records: retained for a reasonable period after the relevant shift for record-keeping, reconciliation, and dispute resolution.
  • Audit logs: retained for approximately 24 months (subject to ongoing legal review) and then pruned.
  • Notification records: retained for operational and delivery-verification purposes and then cleared.

On expiry of the applicable period, information is securely deleted or de-identified.

9. Cookies

The Platform uses strictly necessary cookies only— the authentication-session cookie that keeps you signed in. We do not use analytics, advertising, or tracking cookies, and no cookie-consent banner is therefore required. Full details are in our Cookie Policy.

10. How we protect your information

We apply appropriate technical and organisational measures, including: encrypted transmission over HTTPS; passwords stored only as salted hashes by our authentication provider; database row-level security and role-based access so each user and organisation can reach only their own data; an append-only audit trail; and data-processing agreements with our sub-processors. No internet system is perfectly secure; you are responsible for keeping your credentials confidential and notifying us of any suspected unauthorised access. In the event of a breach posing a real risk of harm, we will notify affected data subjects and the Information Regulator as required by section 22 of POPIA.

11. Your rights as a data subject

Under POPIA you have the right to access the personal information we hold about you; to request correction or deletion (subject to legal retention obligations); to object to processing based on legitimate interests or for direct marketing; and to withdraw consent where processing is based on consent. You may also lodge a complaint with the Information Regulator (South Africa): www.inforegulator.org.za, complaints.IR@justice.gov.za, tel. 010 023 5200. We ask that you contact us first so we can try to resolve your concern directly.

12. Children

The Platform is intended for persons aged 18 and older. We do not knowingly collect personal information from anyone under 18, and will delete it promptly if we become aware of it.

13. Changes to this Policy

We may update this Policy to reflect changes in our practices, Platform features, or applicable law. We will give registered users not less than 14 days’ notice of material changes by email and/or a notice on the Platform.

14. How to contact us

For any privacy question, request, or complaint, contact our Information Officer, Mark Trevor Verryn, at mark@updocsa.co.za (or support@updocsa.co.za), UpDoc (Pty) Ltd, 4 Montrose Street, Unit 111, Newlands, Cape Town, 7700. We aim to acknowledge privacy-related correspondence within 3 business days and to resolve requests within the timeframes prescribed by POPIA and the Promotion of Access to Information Act 2 of 2000 (PAIA).