Saving Grace
Legal

Privacy policy

Last updated: 15 July 2026

This policy describes how Saving Grace collects, uses, and protects personal information when healthcare practices use our WhatsApp-first booking and workspace platform. It is written to help practices and patients understand our role under South Africa's Protection of Personal Information Act 4 of 2013 (POPIA). Your organisation's contracts, notices to patients, and local law still govern how you operate day to day.

Who we are

Saving Grace provides software and related services that help practices run guided booking flows on WhatsApp and manage appointments in a central workspace. Depending on your arrangement, we may process personal information as an operator on your instructions, while you remain responsible for clinical use of data and lawful communication with patients.

What we collect

We collect what is needed to deliver the service: for example, account and contact details for your team, configuration of flows and templates, booking and messaging metadata, operational logs for reliability and security, and support communications. The exact categories depend on how your practice uses the product and what you choose to capture in flows.

Patients may share health information — such as a reason for visit, symptoms, or medical aid details — through WhatsApp or intake forms. Under POPIA, this is special personal information and we process it only where a lawful basis applies, such as the patient's consent or the necessity of the healthcare service.

Lawful basis for processing

We process personal information only where we have a lawful basis under POPIA. This typically includes:

  • Consent: where patients opt in to WhatsApp booking and reminder services.
  • Contract: where processing is necessary to provide the platform under our agreement with the practice.
  • Legal obligation: where we are required to keep records or respond to lawful requests.
  • Legitimate interest: for operational security, abuse prevention, and product improvement, provided the interest is not overridden by the data subject's rights.

How we use information

  • Operating and improving the platform, including troubleshooting and quality metrics.
  • Security, abuse prevention, and meeting our legal obligations.
  • Communicating with authorised users about the service, incidents, and contractual matters.
  • Analytics that help us understand product usage in aggregate, subject to our agreements with you and applicable law.

We do not sell personal information. We do not use patient data to train public-facing AI models for unrelated purposes. Where optional AI/LLM features are enabled, they are used only to assist with the specific interaction and are governed by the terms agreed with the practice.

Automated decision-making

Saving Grace does not make clinical decisions or automated decisions that produce legal or similarly significant effects on patients. Optional LLM features may generate suggested responses or routing suggestions, but a human at the practice reviews or sends final communications. The platform is not a substitute for professional medical advice.

Sharing & subprocessors

We use infrastructure and service providers (for example hosting, messaging channels, and operational tools) who process data only as needed to provide Saving Grace. WhatsApp and Meta services have their own terms and privacy practices; your practice should align channel use with your policies and regulatory requirements. We will share information where required by law or to protect rights, safety, and the integrity of the service.

A current list of material sub-processors is available on request and will be maintained in our compliance documentation.

International transfers

Some of our sub-processors are located outside South Africa, including in the United States and the European Union. Where personal information crosses borders, we rely on appropriate safeguards consistent with POPIA Section 72, such as your consent, contractual necessity, and data processing agreements with the relevant providers. If you would like more detail on these safeguards, please contact us.

Retention

We retain information for as long as your account is active and for the periods needed for backups, legal, and operational purposes. Specific retention periods vary by data category and are set out in our retention policy, which we will share on request. When information is no longer needed, we delete or anonymise it securely.

Security

We implement administrative, technical, and organisational measures appropriate to the nature of the service, including encryption in transit, access control, audit logging, and environment separation.

Your rights & requests

Under POPIA, data subjects have rights including access, correction, deletion, objection to processing, and lodging a complaint with the Information Regulator. If you are a patient or end user, the practice is usually the first place to exercise these rights. If you contact us directly, we may need to verify your request and coordinate with the relevant practice. Authorised administrators at your organisation can reach out for data subject requests that relate to our processing on your behalf.

Children

Our service is intended for use by adults and by practices on behalf of their patients. If a child under 18 uses the service, the practice should obtain consent from a parent or guardian and process the child's information in accordance with POPIA.

Cookies and analytics

Our websites and applications may use cookies and similar technologies for authentication, security, and analytics. We use these technologies only to the extent necessary to operate and improve the service.

Changes

We may update this policy from time to time. We will post the revised version here and adjust the “last updated” date. Material changes may also be communicated through the product or by email where appropriate.

Contact

Questions about this policy or our privacy practices? Contact our team.

Complaints

If you believe we have not handled your personal information in accordance with POPIA, you have the right to lodge a complaint with the South African Information Regulator at inforegulator.org.za.

Related

Legal documents work best as a set. Cross-check with your internal policies and agreements.

Discussing procurement, DPIAs, or a tailored data processing addendum? We will meet you at the depth your organisation needs.