Privacy Policy & Data Protection

Last Updated: October 2025 | Version 1.0

1. INTRODUCTION

FindYourLocum ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and services ("Platform").

By using the Platform, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Platform.

2. COMPLIANCE WITH LEGISLATION

  • We comply with the Protection of Personal Information Act (POPIA), Act 4 of 2013.
  • We comply with the Electronic Communications and Transactions Act, 2002.
  • We comply with the National Health Act, 2003, regarding health information.
  • We adhere to the Health Professions Council of South Africa (HPCSA) guidelines on confidentiality and data protection.
  • We comply with Google Play Store privacy and data safety requirements.
  • We comply with applicable international data protection regulations including GDPR where relevant.

2A. GOOGLE PLAY DATA SAFETY

In compliance with Google Play Store requirements, we provide the following data safety information:

Data Collection Categories:

Personal Information

  • Name, email address, phone number
  • ID/passport number
  • Physical and postal addresses
  • Profile photographs
  • Purpose: Account creation, identity verification, communication

Financial Information

  • Banking details for payments
  • Payment card information (processed by third-party payment processors)
  • Transaction history
  • Purpose: Payment processing, financial transactions

Location Data

  • Approximate location (from IP address)
  • Precise location (when using location-based features with permission)
  • Purpose: Matching locums with nearby practices, shift notifications

Professional Credentials

  • HPCSA registration number
  • Qualifications and certifications
  • Professional indemnity insurance details
  • Purpose: Verification, matching, compliance

App Activity & Performance

  • App interactions, usage patterns
  • Crash logs and diagnostics
  • Performance data
  • Purpose: App improvement, analytics, bug fixing

Device Information

  • Device ID, model, operating system
  • IP address
  • Browser type and version
  • Purpose: Security, fraud prevention, app optimization

Communications

  • In-app messages between users
  • Support communications
  • Purpose: Facilitating shift coordination, customer support

Data Sharing:

We share data with the following categories of third parties:

  • Other users: Profile information shared when applying for or posting shifts
  • Payment processors: Financial information for transaction processing
  • Cloud service providers: Data storage and hosting services
  • Analytics providers: Usage and performance data for app improvement
  • Verification services: Credential verification for HPCSA registration
  • Communication services: Email and SMS notifications

Data Security: All data is encrypted in transit using TLS/SSL and at rest using industry-standard encryption (AES-256).

3. INFORMATION WE COLLECT

3.1 Personal Information:

  • Full name and surname
  • Email address and phone number
  • ID/passport number
  • HPCSA registration number (for healthcare professionals)
  • Practice registration details (for medical practices)
  • Banking details for payment processing
  • Physical and postal addresses
  • Date of birth
  • Profile photographs

3.2 Professional Information:

  • Qualifications and certifications
  • Professional indemnity insurance details
  • Work history and experience
  • Specializations and skills
  • References and recommendations
  • Performance ratings and reviews

3.3 Usage Information:

  • Shift applications and bookings
  • Check-in and check-out times
  • Location data (when using location-based features)
  • Device information and identifiers
  • IP address and browser type
  • App usage statistics and preferences
  • Communication and chat messages on the Platform

3.4 Financial Information:

  • Payment card details (processed securely by third-party payment processors)
  • Banking information for direct deposits
  • Transaction history and invoices
  • Tax information (as required by law)

4. HOW WE COLLECT INFORMATION

4.1 Information You Provide:

  • Registration and profile creation
  • Application forms and submissions
  • Communication with support or other users
  • Document uploads for verification
  • Banking and payment setup

4.2 Automatically Collected Information:

  • Device and usage data through cookies and similar technologies
  • Location data (with your permission)
  • Performance and error logs
  • Analytics data

4.3 Information from Third Parties:

  • Verification services for credentials
  • Payment processors
  • Background check providers (with your consent)
  • Professional regulatory bodies (e.g., HPCSA)

5. HOW WE USE YOUR INFORMATION

5.1 Platform Operations:

  • Creating and managing your account
  • Matching healthcare professionals with practices
  • Processing shift applications and bookings
  • Facilitating check-in and check-out procedures
  • Enabling communication between users
  • Processing payments and financial transactions

5.2 Verification and Security:

  • Verifying professional credentials and qualifications
  • Conducting background checks (with consent)
  • Preventing fraud and ensuring Platform security
  • Monitoring compliance with terms and regulations

5.3 Service Improvement:

  • Analyzing usage patterns and preferences
  • Improving Platform functionality and user experience
  • Developing new features and services
  • Conducting research and analytics

5.4 Communication:

  • Sending shift notifications and updates
  • Providing customer support
  • Sending administrative messages
  • Marketing communications (with your consent)
  • Surveys and feedback requests

5.5 Legal Compliance:

  • Complying with legal obligations
  • Responding to law enforcement requests
  • Protecting our rights and property
  • Enforcing our terms and policies

6. DATA SHARING AND DISCLOSURE

6.1 With Other Users:

  • Healthcare professionals: Profile information is shared with practices when applying for shifts
  • Practices: Basic information is shared with healthcare professionals when shifts are posted
  • Ratings and reviews are visible to relevant parties

6.2 With Service Providers:

  • Payment processors (e.g., for processing transactions)
  • Cloud storage providers
  • Analytics and data services
  • Verification and background check services
  • Email and SMS service providers

6.3 For Legal Reasons:

  • Compliance with laws, regulations, or legal processes
  • Response to lawful requests by public authorities
  • Protection of our rights, privacy, safety, or property
  • Investigation of potential violations of our terms

6.4 Business Transfers:

  • In connection with mergers, acquisitions, or asset sales
  • Users will be notified of any change in ownership or data usage

6.5 With Your Consent:

Any other sharing will only occur with your explicit consent

7. DATA RETENTION

We retain your personal information for as long as necessary to:

  • Provide our services
  • Comply with legal obligations
  • Resolve disputes and enforce agreements
  • Maintain business and financial records

Retention Periods:

  • Active accounts: Throughout account lifetime and up to 7 years after closure
  • Financial records: Minimum 5 years (as required by tax law)
  • Communication records: Up to 3 years
  • Marketing data: Until you opt out or withdraw consent

You may request deletion of your data, subject to legal retention requirements.

8. YOUR RIGHTS UNDER POPIA

8.1 Right to Access: You can request copies of your personal information.
8.2 Right to Correction: You can request correction of inaccurate or incomplete information.
8.3 Right to Deletion: You can request deletion of your information (subject to legal requirements).
8.4 Right to Object: You can object to processing of your information for direct marketing.
8.5 Right to Restrict Processing: You can request restriction of processing under certain circumstances.
8.6 Right to Data Portability: You can request your data in a structured, machine-readable format.
8.7 Right to Lodge a Complaint: You can lodge a complaint with the Information Regulator of South Africa.

9. DATA SECURITY

We implement appropriate technical and organizational measures to protect your information:

  • Encryption of data in transit and at rest
  • Secure server infrastructure
  • Access controls and authentication
  • Regular security audits and assessments
  • Employee training on data protection
  • Incident response procedures

Despite our efforts, no security system is impenetrable. We cannot guarantee absolute security.

You are responsible for maintaining the confidentiality of your account credentials.

9A. APP PERMISSIONS

Our mobile application requests the following permissions. We only request permissions that are necessary for app functionality:

📍 Location Permission (Optional)

Why we need it: To show you nearby shift opportunities and help practices find locums in their area.

When it's used: Only when you actively search for shifts or when location-based matching is enabled.

📸 Camera Permission (Optional)

Why we need it: To allow you to take photos for your profile or upload verification documents.

When it's used: Only when you choose to take a photo within the app.

🖼️ Photo Library Permission (Optional)

Why we need it: To allow you to select and upload photos or documents from your device.

When it's used: When you upload profile pictures, certificates, or verification documents.

🔔 Notification Permission (Optional)

Why we need it: To send you important updates about shift applications, bookings, and messages.

When it's used: For time-sensitive notifications about shifts, messages, and payment confirmations.

📶 Network/Internet Access (Required)

Why we need it: Essential for app functionality, connecting to our servers, and loading content.

When it's used: Throughout app usage for data synchronization and real-time updates.

Your Control: You can manage all app permissions through your device settings at any time. Denying certain permissions may limit some app functionality.

9B. ACCOUNT DELETION & DATA REMOVAL

In compliance with Google Play requirements, you have the right to delete your account and associated data at any time.

How to Delete Your Account:

Option 1: Within the App

  1. Open the FindYourLocum app
  2. Go to Settings → Account Settings
  3. Scroll to the bottom and tap "Delete Account"
  4. Confirm your decision
  5. Your account and data will be permanently deleted within 30 days

Option 2: Via Email Request

Send an email to privacy@findyourlocum.com with:

  • Subject: "Account Deletion Request"
  • Your registered email address
  • Account type (Healthcare Professional or Practice)
  • Reason for deletion (optional)

We will process your request within 7 business days and send confirmation once completed.

Option 3: Via Web Portal

Visit findyourlocum.co.za/privacy and use the "Request Account Deletion" form (account deletion portal will be made available).

What Happens When You Delete Your Account:

  • Your profile and personal information will be permanently deleted
  • All shift applications and bookings will be cancelled
  • Your messages and communications will be deleted
  • You will no longer receive notifications or emails
  • Your ratings and reviews may be anonymized but retained for platform integrity
  • Some data may be retained for legal compliance (e.g., financial records for tax purposes)

Data Retained for Legal Compliance:

Even after account deletion, we may retain certain information as required by law:

  • Financial transaction records (5 years for tax compliance)
  • Data required for ongoing legal proceedings
  • Fraud prevention records
  • Aggregated, anonymized analytics data

Important: Account deletion is permanent and cannot be undone. Please ensure you have downloaded any important data before proceeding.

9C. USER CONSENT & IN-APP DISCLOSURES

We obtain your consent before collecting or processing your personal data through clear, unambiguous disclosures:

When We Ask for Consent:

  • First app launch: Privacy policy acceptance and permission requests
  • Account creation: Collection of personal and professional information
  • Location access: Before accessing device location for the first time
  • Camera/photos: Before accessing camera or photo library
  • Notifications: Before sending push notifications
  • Marketing communications: Opt-in for promotional emails and messages
  • Background checks: Explicit consent before conducting any background verification

Characteristics of Our Consent Requests:

  • Clear and plain language explaining what data is collected and why
  • Displayed prominently during normal app usage
  • Require affirmative action (tapping "Accept" or "Allow")
  • Cannot be auto-dismissed or bypassed without user action
  • Separate requests for different data types (not bundled)

Withdrawing Consent:

You can withdraw your consent at any time by:

  • Adjusting app permissions in your device settings
  • Changing notification preferences in the app settings
  • Unsubscribing from marketing emails
  • Contacting us at privacy@findyourlocum.com

9D. THIRD-PARTY SERVICES & SDKs

We use third-party services and software development kits (SDKs) to provide and improve our services. These third parties may collect and process data according to their own privacy policies:

Firebase (Google)

Services used: Authentication, Cloud Firestore, Cloud Storage, Cloud Messaging, Analytics

Data shared: User ID, device information, app usage, crash reports

Privacy policy: firebase.google.com/support/privacy

Payment Processors

Services used: Secure payment processing, fraud detection

Data shared: Payment information, transaction details, billing address

All payment data is processed securely and not stored on our servers.

Cloud Storage Providers

Services used: Secure data storage and backup

Data shared: User data, documents, photos (all encrypted)

Communication Services

Services used: Email delivery, SMS notifications

Data shared: Email addresses, phone numbers, message content

Maps & Location Services

Services used: Mapping, geolocation

Data shared: Location data (only when permission granted)

Note: We carefully vet all third-party services to ensure they meet our security and privacy standards. We only share the minimum data necessary for each service to function.

10. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar technologies to:

  • Remember your preferences
  • Understand how you use the Platform
  • Improve user experience
  • Provide analytics insights

You can control cookie settings through your device or browser settings. Disabling cookies may limit Platform functionality.

11. THIRD-PARTY LINKS

  • The Platform may contain links to third-party websites or services.
  • We are not responsible for the privacy practices of third parties.
  • We encourage you to review the privacy policies of any third-party sites you visit.

12. CHILDREN'S PRIVACY

  • The Platform is not intended for users under 18 years of age.
  • We do not knowingly collect information from children under 18.
  • If we learn we have collected information from a child under 18, we will delete it promptly.

13. INTERNATIONAL DATA TRANSFERS (CROSS-BORDER TRANSFERS)

In accordance with Section 72 of the Protection of Personal Information Act (POPIA), we are required to inform you about the cross-border transfer of your personal information and obtain your consent before such transfers occur.

13.1 Where Your Data is Stored

FindYourLocum utilises cloud-based infrastructure services, including but not limited to Firebase (Google Cloud Platform), to store and process your personal information. These services operate data centres located outside of the Republic of South Africa, primarily in:

  • United States of America
  • European Union (EU) member states

This means that your personal information, including identification details, professional credentials, and transactional data, may be transferred to, stored in, and processed in jurisdictions outside South Africa.

13.2 Legal Basis for Cross-Border Transfers

We rely on the following lawful grounds under Section 72 of POPIA to transfer your personal information outside South Africa:

a) Your Explicit Consent

During account registration, you are clearly informed that your data will be stored on servers located outside South Africa. By proceeding with registration and expressly accepting these terms, you provide your specific, voluntary, and informed consent to the cross-border transfer of your personal information as required by Section 72(1)(b) of POPIA.

b) Adequate Level of Protection

Our cloud service providers (including Google/Firebase) are subject to laws and binding agreements that provide an adequate level of protection substantially similar to POPIA. The European Union operates under the General Data Protection Regulation (GDPR), which provides robust data protection standards. Our service providers have also entered into Standard Contractual Clauses (SCCs) and Data Processing Agreements that uphold principles for reasonable processing of personal information.

c) Necessary for Contract Performance

The cross-border transfer is necessary for the performance of our contract with you—specifically, to provide you with the FindYourLocum platform services, including profile management, shift matching, communication features, and payment processing.

13.3 Consent at Registration

Important: When you create an account on FindYourLocum, you will be presented with a clear disclosure stating that your personal information will be stored on cloud servers located in the United States and/or European Union. You must acknowledge and consent to this cross-border transfer before your account can be created. Without this consent, you will not be able to use the Platform.

The consent prompt during sign-up includes the following acknowledgment which you must accept:

"I understand and consent to my personal information being stored and processed on cloud servers located outside of South Africa, including in the United States and European Union. I acknowledge that FindYourLocum has informed me of this cross-border transfer in accordance with Section 72 of the Protection of Personal Information Act (POPIA), and I voluntarily consent to such transfer as a condition of using this platform."

13.4 Safeguards We Have Implemented

To protect your personal information during and after cross-border transfer, we have implemented the following safeguards:

  • Data Processing Agreements: We have entered into binding agreements with our cloud service providers that require them to protect your personal information in accordance with standards substantially similar to POPIA.
  • Encryption: All data is encrypted in transit using TLS/SSL protocols and at rest using AES-256 encryption.
  • Access Controls: Strict access controls ensure that only authorised personnel can access your personal information.
  • GDPR Compliance: Our EU-based data storage complies with the General Data Protection Regulation, which provides a level of protection recognised as adequate by many jurisdictions.
  • Regular Audits: Our service providers undergo regular security audits and maintain certifications such as ISO 27001 and SOC 2.

13.5 Your Rights Regarding Cross-Border Transfers

You have the right to:

  • Withdraw your consent to cross-border transfers at any time by deleting your account (note: this will terminate your access to the Platform)
  • Request information about the specific countries where your data is stored
  • Request information about the safeguards in place for your data
  • Lodge a complaint with the Information Regulator of South Africa if you believe your rights have been violated

13.6 Contact for Cross-Border Transfer Queries

If you have any questions or concerns about the cross-border transfer of your personal information, please contact our Data Protection Officer at dpo@findyourlocum.co.za.

14. CHANGES TO THIS PRIVACY POLICY

  • We may update this Privacy Policy from time to time.
  • We will notify you of material changes via email or Platform notification.
  • Continued use of the Platform constitutes acceptance of the updated policy.
  • The "Last Updated" date at the top indicates when the policy was last revised.

15. MARKETING COMMUNICATIONS

We may send you marketing communications if you have opted in. You can opt out at any time by:

  • Clicking "unsubscribe" in email communications
  • Adjusting notification settings in the app
  • Contacting us directly

Opting out of marketing does not affect operational communications.

16. CONTACT INFORMATION

For questions, concerns, or to exercise your privacy rights, contact us at:

Information Regulator (South Africa):

17. DATA PROTECTION OFFICER

For data protection matters, you may contact our Data Protection Officer:

18. CONSENT AND ACCEPTANCE

By using the FindYourLocum Platform, you acknowledge that you have read, understood, and agree to this Privacy Policy and the collection, use, and disclosure of your information as described herein.

© 2025 FindYourLocum. All rights reserved.