Expand Health (Pty) Ltd ("Expand Health", "we", "us") operates the Expand Health platform — a clinical workflow and AI-assisted practice management system for healthcare practitioners.
Registered country: Republic of South Africa
Contact: privacy@expandhealth.io
Under POPIA and analogous data protection frameworks, the distinction between a data controller ("responsible party") and a data processor ("operator") is critical:
| Category | Role | Explanation |
|---|---|---|
| Practitioner account data (your name, email, billing) |
We are the controller | We determine why and how we process this data to operate the Service. |
| Patient health data (names, records, labs, notes) |
You are the controller; We are the processor |
You instruct us to process patient data on your behalf. We act on your instructions only. |
As the data controller for patient data, you bear responsibility for obtaining valid patient consent and ensuring a lawful basis for processing.
| Purpose | Data Used | Lawful Basis |
|---|---|---|
| Provide and operate the Service | Account & patient data | Contract performance |
| Process AI features (summaries, protocols) | Pseudonymised clinical data | Contract performance + consent |
| Send transactional emails (welcome, expiry) | Email address | Contract performance |
| Billing and subscription management | Contact & payment data | Contract performance |
| Security monitoring and fraud prevention | Account & log data | Legitimate interest |
| Legal compliance and audit | Account & usage data | Legal obligation |
| Product improvement (aggregate analytics) | Anonymised usage data | Legitimate interest |
We do not sell personal information to third parties.
All patient health data is encrypted at rest using AES-256-GCM. Sensitive fields (names, emails, national IDs) are individually encrypted using a dedicated encryption key (PHI_ENCRYPTION_KEY) that is separate from the database credentials. Data is transmitted exclusively over TLS 1.2+.
Each practitioner workspace is a fully isolated tenant. Patient data is scoped by tenant_id at the application layer and enforced by PostgreSQL Row-Level Security at the database layer. No workspace can access another workspace's patient data.
Access to patient data within the platform is controlled by role-based permissions. Platform engineers at Expand Health have limited, audited access to production data strictly for operational purposes (e.g., investigating a support issue at your explicit request).
When patients access their own records through the patient portal, they authenticate via one-time passcode (OTP) and receive a scoped JWT that restricts access to their own records only.
Expand Health uses AI models from three providers to power its clinical features. Before any data is sent to these providers, our PHI Redaction service replaces direct patient identifiers (name, email, date of birth) with consistent pseudonyms. Clinical content (lab values, diagnoses, notes) is transmitted as-is to generate clinically useful output.
| Provider | Used For | Data Sent | DPA / BAA |
|---|---|---|---|
| Anthropic (Claude) | Lab summaries, protocol fallback, chat | Pseudonymised clinical context | Anthropic API Terms |
| OpenAI (GPT-4o) | Protocol generation (primary), chat | Pseudonymised clinical context | OpenAI API Terms |
| Google (Gemini) | Knowledge base queries, PDF parsing | Pseudonymised or document text | Google Cloud DPA |
None of these providers use your data to train their models by default under their API agreements.
We use the following sub-processors to deliver the Service. All sub-processors are bound by data processing agreements requiring equivalent data protection standards.
| Sub-Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Railway | Cloud hosting & PostgreSQL database | All platform data | USA (AWS us-east-1) |
| Resend | Transactional email | Email address, email content | USA |
| Sentry | Error monitoring | Anonymised error payloads (PHI stripped) | USA |
| Anthropic | AI model (Claude) | Pseudonymised clinical context | USA |
| OpenAI | AI model (GPT-4o) | Pseudonymised clinical context | USA |
| Google Cloud | AI model (Gemini) | Pseudonymised or document text | USA / EU |
For practitioners subject to POPIA, the transfer of data to sub-processors in countries without adequate data protection is authorised by the standard contractual obligations in our sub-processor agreements, and by your consent given at account creation.
We implement the following technical and organisational measures:
If you discover a security vulnerability, please report it responsibly to security@expandhealth.io. We aim to acknowledge reports within 24 hours.
| Data Category | Retention Period |
|---|---|
| Active workspace data (patients, records, notes) | Retained while subscription is active |
| Data after trial expiry / subscription cancellation | 30-day grace period, then permanently deleted |
| Practitioner account data | Deleted within 30 days of account closure request |
| Billing records | 7 years (legal / tax obligation) |
| Audit logs | 2 years from creation |
| Server access logs | 90 days |
| Backups | 30-day rolling retention |
To request deletion of your account and data, contact privacy@expandhealth.io. We will action deletion requests within 30 days.
Under POPIA and applicable law, as a practitioner (data subject for your own account data) you have the right to:
Patients whose data you have entered into the platform are data subjects in relation to you (the controller). To exercise their rights, patients should contact you directly as their healthcare provider. We will assist you in fulfilling patient data requests — contact us at privacy@expandhealth.io.
Submit requests to privacy@expandhealth.io. We will respond within 30 days. Identity verification may be required before we process requests.
The Service is not directed to children under 18 as practitioners. However, as a healthcare platform, patient records for paediatric patients may be processed when entered by a practitioner. Practitioners are responsible for ensuring they have appropriate consent or legal authority to process records for minors.
We may update this Privacy Policy from time to time. Material changes will be communicated by email or by a prominent notice in the Service at least 14 days before taking effect. The current version is always available at expandhealth.io/privacy.
Privacy queries: privacy@expandhealth.io
General support: support@expandhealth.io
Security reports: security@expandhealth.io
If you are not satisfied with our response, you may lodge a complaint with the
Information Regulator of South Africa
Website: inforegulator.org.za
Email: inforeg@justice.gov.za