Data & Compliance
Effective: 9 May 2026 · Last updated: 19 June 2026
This page explains in plain language exactly what data Hauffi collects from each type of user, why it is collected, how it is stored and protected, and your rights over it. Our full Privacy Policy is available at hauffi.com/privacy.
1. Data We Collect, By User Type
Patients
| Data | Purpose | Retention | Shared publicly |
|---|---|---|---|
| Full name | Account creation and appointment matching | Account lifetime; removed from live systems on account deletion | No |
| Email address | Login, appointment confirmations, reminders | Account lifetime | No |
| Phone number | Contact by practitioner for appointment | Account lifetime | No |
| Medical aid selection | Match patients with suitable booking and billing options | Account lifetime | No |
| Medical aid name and plan | Match with doctors who accept your scheme | Account lifetime | No |
| Appointment history | Continuity of care and dispute resolution | While account is active; removed from live systems on account deletion | No |
| Push notification token | Appointment reminders and status updates | Until sign-out or account deletion | No |
| Walk-in billing metadata | On-demand fee authorisation, refunds, reconciliation, support | Per account lifecycle and finance/support retention needs | No |
| Foreground and on-demand location data | Find nearby doctors and route active walk-in requests | Stored with active walk-in requests and related operational records | No |
Healthcare Practitioners (Doctors)
| Data | Purpose | Retention | Shared publicly |
|---|---|---|---|
| Full name | Public profile, patient booking | Account lifetime | Yes, visible to authenticated patients |
| Email address | Login, notifications | Account lifetime | No |
| Phone number | Visible to booked patients only | Account lifetime | Limited, booked patients only |
| HPCSA registration number | Credential verification against HPCSA register | Account lifetime | No |
| Practice name, address, consultation fee | Public doctor profile | Account lifetime | Yes, visible to authenticated patients |
| Specialty | Search and matching | Account lifetime | Yes, visible to authenticated patients |
| Medical aids accepted | Search and matching | Account lifetime | Yes, visible to authenticated patients |
| HPCSA certificate (image) | Admin credential verification | While account is active; removed from live systems on account deletion | No, admin only, signed URL |
| Subscription plan and status | Billing and service tier access | While account is active; removed from live systems on account deletion | No |
| Paystack authorization and payment metadata | Subscription billing via Paystack | While account is active; removed from live systems on account deletion | No |
| Biometric verification outcome | Practitioner identity confirmation (via Smile ID) | Account lifetime | No |
| Verified name (from Smile ID) | Admin cross-reference check | Account lifetime | No |
| Appointment history | Analytics and dispute resolution | While account is active; removed from live systems on account deletion | No |
Important: Smile Identity exclusively processes and retains practitioner selfies, liveness checks, and government-issued ID documents. Hauffi stores only the verification outcome, related audit fields, the practitioner's HPCSA certificate, and verified name received from Smile Identity.
Dual-Role Accounts
If you hold both a patient profile and a healthcare practitioner profile under the same account, each profile maintains separate data records. Your patient data is governed by the patient data table above, and your practitioner data is governed by the healthcare practitioner data table. Deleting your account will delete both profiles and all associated data.
2. Data We Do NOT Collect
Hauffi is designed with data minimisation as a core principle. We do not collect:
- Medical records, diagnoses, prescriptions, or clinical notes
- SA ID numbers (practitioner biometric flow, captured by Smile Identity only)
- Full card numbers or CVVs
- Passport numbers
- Free-text medical disclosures from patients (cancellation reasons are from a predefined list only)
- Browsing history or cross-app tracking data
- Advertising identifiers (IDFA, GAID)
3. Third-Party Processors
We share your data with the following sub-processors, each bound by a data processing agreement:
| Provider | Purpose | Location | Data shared |
|---|---|---|---|
| Supabase | Database, authentication, file storage | United States / EU | auth.users, profiles, appointments, documents |
| Expo (Expo Push Service) | Push notifications | United States | Push notification token only |
| Google Maps Platform | Location and places lookups | United States | Practice address search queries and location-related lookups |
| Paystack | Patient walk-in billing and practitioner subscriptions | Jurisdictions used by Paystack | Masked card metadata, payment references, authorization and refund data |
| Resend | Transactional email delivery | United States | Email address, appointment reference |
| Browserless | Automated HPCSA public-register checks when enabled | United States | Practitioner name and HPCSA registration number |
| Smile Identity (Smile ID) | Biometric identity verification (practitioners) | Pan-African / USA | Selfie image, liveness, government-issued ID document, verification outcome and verified name |
| OpenAI | Doctor portal analytics assistant | United States | Aggregated practice analytics only; no patient records |
We do not share data with any advertising networks, data brokers, or analytics platforms that track individuals across services.
4. Biometric Data (Smile Identity)
Biometric verification for healthcare practitioners is performed by Smile Identity, a pan-African identity verification company compliant with applicable data protection laws, including POPIA, GDPR, and NDPR.
What Smile Identity processes
- A real-time selfie captured within the Smile Identity secure environment
- Your government-issued identity document (SA ID or passport)
- A liveness check to confirm the selfie is of a live person
- A comparison of your selfie against your ID document photo
What Hauffi receives from Smile Identity
- Verification outcome and related audit fields
- Your verified full name as it appears on your ID document
What we do not receive
- Your full card details from payment providers
- Medical records, diagnoses, prescriptions, or clinical notes
Smile Identity retains biometric data for the period necessary to complete verification and in accordance with their Privacy Policy. By proceeding with biometric verification, you consent to Smile Identity processing your data for this purpose.
5. Data Storage and Security
Where your data is stored
Hauffi uses Supabase as its primary data platform. Supabase stores data on AWS infrastructure. Our primary region is us-east-1 (US East, N. Virginia), with Supabase managing replication and backups.
Encryption
- In transit: TLS 1.3 for all data moving between your device and our servers
- At rest: encryption for stored data, including uploaded documents
Access controls
- Row-Level Security (RLS) is enabled on every database table, patients can only access their own data
- Practitioners can only access their own profile and data for appointments they are booked in
- Uploaded HPCSA certificates are stored in a private bucket with no public URL, accessible only via time-limited signed URLs (1-hour expiry) generated for authorised admin reviewers
- Admin access is role-restricted and requires authentication
Backup retention
- Automated backups are encrypted at rest using the same encryption as live systems (AES-256)
- Backup copies are retained for a maximum of 30 days for operational recovery purposes only
- Deleted account data may persist in backups until the 30-day retention period expires
6. Data Retention and Deletion
| Data type | Retention period | Deletion |
|---|---|---|
| Patient account data | Until account deletion | Immediately on account deletion |
| Doctor account data | Until account deletion | Immediately on account deletion |
| Appointment records | While account is active | Removed from live systems on account deletion, subject to limited backup retention |
| Verification documents (HPCSA cert only) | While account is active | Removed from live systems on account deletion, subject to limited backup retention |
| Push notification tokens | While active | On sign-out or account deletion |
| Audit log (deletion record) | Indefinitely (UUID + role + timestamp only, no PII) | Not deleted, POPIA compliance record |
| Smile Identity biometric data | Per Smile Identity's retention policy | Per Smile Identity's deletion process |
You can delete your own account at any time directly within the app. See the Privacy Policy for step-by-step instructions.
7. Regulatory Compliance
| Regulation | Applicability | Status |
|---|---|---|
| POPIA (South Africa) | Primary jurisdiction, our core compliance standard | ✅ Compliant |
| GDPR (EU / EEA) | Applies to EU-resident users | ✅ Compliant, lawful bases documented in Privacy Policy |
| UK GDPR | Applies to UK-resident users | ✅ Compliant |
| CCPA / CPRA (California) | Applies to California residents | ✅ Compliant, no sale of personal data |
| LGPD (Brazil) | Applies to Brazilian residents | ✅ Compliant |
| PIPEDA (Canada) | Applies to Canadian residents | ✅ Compliant |
| Australian Privacy Act (APPs) | Applies to Australian residents | ✅ Compliant |
| NDPR (Nigeria) | Applies where Smile Identity processes Nigerian data | ✅ via Smile Identity |
8. Children's Data
Hauffi is not directed at children or minors. You must be at least 18 years old to use Hauffi. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a child, contact us immediately at admin@hauffi.com and we will delete it promptly.
9. Your Rights
Regardless of your location, you may exercise the following rights by emailing admin@hauffi.com:
- Access, receive a copy of your personal data
- Correction, correct inaccurate or incomplete data
- Deletion, delete your account and personal data (also available self-serve within the app)
- Restriction, limit how we process your data
- Portability, receive your data in machine-readable format
- Objection, object to processing based on legitimate interests
- Withdraw consent, withdraw any consent without affecting prior lawful processing
We respond to all rights requests within 30 days.
10. Contact
For data-related queries, subject access requests, or compliance questions:
Email: admin@hauffi.com
Hauffi, Privacy Officer
South Africa