Legal

Privacy Policy

Last updated: March 2026  ·  Effective date: January 2025

1. Who We Are

Beyond the Scale Clinic is a multidisciplinary obesity medicine practice located in Mbombela, Mpumalanga. Our responsible party (as defined in POPIA) is the Medical Director, Dr Mabule Mothapo. Contact details are provided in section 11 below.

2. What Information We Collect

Personal Information

• Full name, date of birth, gender, contact details (email, phone)
• Medical aid / health insurance details
• Emergency contact information
• Identity number (for medical records and billing)

Special Personal Information (Health Records)

Under POPIA, health data is classified as special personal information and receives the highest level of protection. We collect:

• Medical history, diagnoses, and current medications
• Weight, biometric, and metabolic measurements
• Dietary records and nutritional assessments
• Psychological assessment notes and session records
• Laboratory results and imaging reports
• Prescription and treatment records

Technical and Platform Data

• Patient portal login credentials (stored as encrypted hashes)
• Weight and meal logs entered in the patient portal
• Documents uploaded via the portal
• IP address and browser information (server logs, retained 30 days)

3. Why We Process Your Information

We process personal information for the following lawful purposes under POPIA:

• Provision of healthcare — delivering medical, dietetic, and psychological treatment
• Legal obligation — maintaining clinical records as required by the National Health Act and HPCSA guidelines
• Legitimate interest — communicating appointment reminders, clinical updates, and account information
• Consent — where you have explicitly opted in (e.g. marketing communications)

4. Storage and Security

All data is stored on Supabase infrastructure hosted in South Africa or equivalent jurisdiction. We implement:

• Encryption in transit (TLS) and at rest (AES-256)
• Row-level security ensuring patients access only their own records
• Staff access restricted by role-based permissions
• Regular security reviews and access audits

Physical records (where applicable) are stored in locked, access-controlled filing within our Mbombela premises.

5. Sharing Your Information

We do not sell your personal information. We may share it in the following limited circumstances:

• Within the clinic — between our medical, dietetic, and psychological practitioners for coordinated care (MDT model)
• Referral practitioners — with your written consent, to external specialists or your GP
• Medical aid / insurers — to process claims on your behalf
• Legal obligation — where required by law, court order, or the Health Professions Council of South Africa (HPCSA)
• Operators — third-party service providers (e.g. our technology platform) under written data processing agreements

6. Retention Period

Clinical records are retained for a minimum of 6 years after the last consultation, or until a minor patient turns 21, whichever is later — as required by the National Health Act. Non-clinical data (e.g. marketing consent) is retained for 3 years or until withdrawn.

7. Your Rights under POPIA

As a data subject, you have the right to:

• Access — request a copy of your personal information
• Correction — request that inaccurate information be corrected
• Deletion — request erasure, subject to our legal retention obligations
• Objection — object to processing based on legitimate interest
• Restriction — request that processing be limited in certain circumstances
• Withdrawal of consent — withdraw consent at any time where processing is consent-based

To exercise any of these rights, contact our Information Officer (see section 11). We will respond within 30 days.

8. Cookies and Tracking

Our website uses only the following minimal cookies:

• Session cookie — stores your portal authentication state (essential, expires on logout or 24 hours)
• Preference cookie — remembers UI preferences such as scroll position (non-tracking)

We do not use advertising, analytics, or third-party tracking cookies. No data is shared with social media platforms for targeting purposes.

9. Children

We do not knowingly process personal information from individuals under the age of 18 without verifiable parental or guardian consent. If you believe a minor's information has been submitted without consent, contact us immediately.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated to active patients via email or the patient portal. The current version is always available on this page with the effective date noted above.

11. Contact Us

To exercise your POPIA rights, raise a privacy concern, or request access to your records:

• Information Officer: Dr Mabule Mothapo
• Clinic: Beyond the Scale Clinic, Mbombela, Mpumalanga
• Email: info@beyondthescaleclinic.co.za

To lodge a complaint with the national regulator:

• Information Regulator (South Africa)
• Website: inforegulator.org.za
• Email: complaints.IR@justice.gov.za