Privacy Policy
How we collect, use, and protect your personal information.
Last updated: 8 April 2026
1. Introduction
UCIP (Unified Clinical Intelligence Platform), operated by GettinDrikkieWithIt (Pty) Ltd ("we", "us", "our"), provides a cloud-based software platform for Emergency Medical Services (EMS) companies, medical transport providers, and healthcare facilities in South Africa.
We are committed to protecting the privacy and security of all personal information processed through our platform, in compliance with the Protection of Personal Information Act, 2013 (POPIA) and its 2026 Health Data Regulations.
This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and what your rights are as a data subject.
2. Information Officer
Information Officer: Drikus van der Walt
Email: privacy@ucip.co.za
Address: South Africa
Our Information Officer is registered with the Information Regulator in terms of POPIA Section 55.
3. What information we collect
3.1 Staff and user data
When an EMS organisation registers with UCIP, we collect information about their staff members:
- Full name, email address, phone number
- Professional registration details (e.g. HPCSA number, expiry date)
- Qualifications and training records
- Role and facility assignment
- Login credentials (passwords are hashed and never stored in plain text)
3.2 Patient data (special personal information)
During patient care and transport, the following health-related information may be recorded:
- Patient name, South African ID number, date of birth
- Medical conditions, allergies, current medications, blood type
- Vital signs (heart rate, blood pressure, SpO2, temperature, GCS, EtCO2, respiratory rate)
- Clinical notes, assessments, and interventions
- ISBAR handoff records
- Clinical photographs (with consent)
- Consent records
This data is classified as special personal information under POPIA Section 26 and is processed under the Section 32 healthcare exemption for medical treatment, care, and administration.
3.3 Operational data
- Booking and dispatch records
- Vehicle information, GPS coordinates, maintenance records
- Shift schedules, duty logs, leave records
- Invoice, payment, and billing information
- Communication messages between staff and facilities
3.4 Technical data
- IP addresses and access logs
- Device tokens for push notifications
- Usage analytics and AI feature usage records
4. How we use your information
We process personal information for the following purposes:
Patient care and clinical documentation
Recording vitals, assessments, interventions, and handoffs during patient transfers. Legal basis: POPIA Section 32 (healthcare exemption).
Dispatch and operational management
Managing bookings, crew assignments, vehicle tracking, and shift scheduling. Legal basis: Legitimate interest / contract performance.
Billing and invoicing
Generating invoices, processing payments, and medical aid claims. Legal basis: Contract performance.
AI-powered clinical features
Speech-to-text vitals extraction, device image reading, and clinical analysis. Legal basis: Consent and contract performance. AI usage is tracked and metered per organisation.
Quality improvement and training
Where explicit consent is obtained, anonymised data may be used for clinical quality improvement. Simulation sessions are tagged and excluded from operational reports.
5. How we protect your information
We implement the following technical and organisational measures to protect personal information:
- Encryption at rest: Sensitive fields (patient ID numbers, allergies, authentication secrets) are encrypted in the database using AES-256 encryption
- Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS enforced)
- Authentication: Passwords hashed with bcrypt. Two-factor authentication (TOTP) available. JWT tokens with 15-minute expiry
- Access control: Role-based access control (admin, clinician, paramedic). Organisation-level data isolation
- Audit logging: Access to patient records is logged with user ID, action, timestamp, and IP address
- Rate limiting: API request throttling to prevent abuse
- Secure hosting: Application hosted on secure infrastructure with regular security updates
6. Data sharing and third parties
We may share personal information with:
- Receiving healthcare facilities: Clinical data shared via ISBAR handoffs and session collaboration links (with consent and access expiry controls)
- Medical aid schemes: Billing data including ICD-10 codes and authorisation numbers for claims processing
- AI service providers: Clinical data may be processed by third-party AI providers (Anthropic, Deepgram) for speech-to-text, structuring, and image analysis features. These providers are bound by data processing agreements
- Accounting integration: Financial data may be synced with Xero or Sage for accounting purposes
- Communication providers: Contact details shared with WhatsApp Business API and SMS providers for notifications
We do not sell personal information to any third party. We do not share patient health data for marketing purposes.
7. Data retention
We retain personal information in accordance with South African medical record retention requirements:
| Record type | Minimum retention |
|---|---|
| General patient records | 6 years after becoming dormant |
| Minor patients (under 18) | Until patient turns 21 |
| Occupational illness/injury | 20 years |
| Staff employment records | 5 years after employment ends |
| Financial/invoice records | 5 years (SARS requirement) |
After the applicable retention period, data will be securely deleted or anonymised.
8. Your rights as a data subject
Under POPIA, you have the right to:
- Access: Request confirmation of whether we hold personal information about you, and request a copy of that information
- Correction: Request correction or update of inaccurate, incomplete, or misleading personal information
- Deletion: Request deletion of personal information that is no longer necessary, subject to legal retention requirements
- Object: Object to the processing of your personal information on reasonable grounds
- Withdraw consent: Withdraw previously given consent at any time (this does not affect the lawfulness of processing before withdrawal)
- Complain: Lodge a complaint with the Information Regulator if you believe your rights have been infringed
To exercise any of these rights, contact our Information Officer at privacy@ucip.co.za. We will respond within 30 days.
9. Cookies and tracking
Our platform uses essential cookies for authentication and session management. We do not use third-party advertising cookies or tracking pixels. No personal information is shared with advertising networks.
10. Data breach notification
In the event of a data breach that may compromise your personal information, we will:
- Notify the Information Regulator as soon as reasonably possible (within 72 hours)
- Notify affected data subjects with details of the breach, potential consequences, and recommended protective measures
- Take immediate steps to contain the breach and prevent further unauthorised access
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users. The "Last updated" date at the top of this page indicates when the policy was last revised.
12. Contact and complaints
UCIP Information Officer: privacy@ucip.co.za
Information Regulator (South Africa):
Tel: 010 023 5200
Email: complaints.IR@justice.gov.za
Website: www.justice.gov.za/inforeg